1 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


IN THE DISTRICT COURT OF OKLAHOMA COUNTY 
STATE OF OKLAHOMA 


Jean Bookout; Charles Schwarz, ) 

individually and as Personal ) 

Representative of the Estate of ) 

Barbara Schwarz, deceased; ) 

Richard Forrester Brandt, as ) 

Personal Representative of the ) 

Estate of Barbara Schwarz, ) 

deceased, ) 

) 

Plaintiffs, ) 

) 

vs ) CJ-2008-7969 

) 

Toyota Motor Corporation; Toyota ) 

Motor Sales, U.S.A., Inc.; ) 

Toyota Motor Engineering and ) 

Manufacturing North America, ) 

Inc,; Aisan Industry Co., Ltd., ) 

) 

Defendants. ) 


~k ~k 

TRANSCRIPT OF PROCEEDINGS 
HAD ON THE 14TH DAY OF OCTOBER, 2013 
AFTERNOON SESSION 

BEFORE THE HONORABLE PATRICIA G. PARRISH 
DISTRICT JUDGE 


Reported by: Kim Lewin, CSR 


THIS TRANSCRIPT IS NOT PROOFREAD 



2 


1 

2 

3 

4 

5 

6 
7 


9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


APPEARANCES : 

For the Plaintiffs: 

Mr. Benjamin E. Baker, Jr., Attorney at Law 

Mr. R. Graham Esdale, Jr., Attorney at Law 

Mr. Jere Locke Beasley, Attorney at Law 

Beasley, Allen, Crow, Methvin, Portis & Miles, P.C. 

218 Commerce Street 

Montgomery, Alabama 36104 


Mr. Larry Tawwater, Attorney at Law 
The Tawwater Law Firm, PLLC 
One Leadership Square 
211 North Robinson, Suite 1950 
Oklahoma City, Oklahoma 73102 


For the Defendants: 

Mr. J. Randolph Bibb, Jr., Attorney at Law 
Mr. Ryan N. Clark, Attorney at Law 
Lewis, King, Krieg & Waldrop, P.C. 

424 Church Street, Suite 2500 
Nashville, Tennessee 37219 


Mr. James A. Jennings, Attorney at Law 
Mr. J. Derrick Teague, Attorney at Law 
Mr. Haylie Treas, Attorney at Law 
Jennings Cook & Teague 
204 North Robinson, Suite 1000 
Oklahoma City, Oklahoma 73102 


Mr. Joel H. Smith, Attorney at Law 
1441 Main Street, Suite 1200 
Columbia, South Carolina 29201 


THIS TRANSCRIPT IS NOT PROOFREAD 



3 


1 THE COURT: We are back on the record. The 

2 members of the jury are present, as well as counsel and 

3 their clients. Mr. Barr is still on the stand. 

4 I was thinking, I didn't remember if I swore 

5 you in earlier, but I did. I remind you, sir, you are 

6 still under oath. And Mr. Baker, you may continue your 

7 direct exam. 

8 MR. BAKER: Thank you, your Honor. Could you 

9 lower the light for us? 

10 THE COURT: Yes. 

11 MR. BAKER: Slide 19. 

12 Q. (BY MR. BAKER) All right, Mr. Barr. We left off at 

13 slide 19, and I think we were about to transition. 

14 You had mentioned, I believe, that you had done some 

15 software testing in the Code Room in Maryland, correct? 

16 A. That's correct. 

17 Q. And I think one of last things you said you 

18 mentioned you had also been involved with some vehicle 

19 testing? 

20 A. Yes. I wasn't directly involved with the vehicle 

21 testing. I wasn't there when the vehicles were tested, 

22 but what we had simulated in the Source Code Room was the 

23 tasks could die and so the operating system by these 

24 corruptions inside the critical data structures. And 

25 some testing was done by a gentleman named Mr. Louden, 
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1 using 2008 and 2005 Camry vehicles. 

2 Q. All right. And I think the jury's heard a little 

3 bit about that before. Were you involved in helping him 

4 do that process? 

5 A. Yes. I was involved in assisting from the Code 

6 Room. 

7 Q. All right. What was the purpose of doing the -- and 

8 I suppose they were software tests? 

9 A. Yes. 

10 Q. What was the purpose of running the software tests 

11 on the 2008 and 2005 Camry, generally speaking? 

12 A. Well, the Source Code Review had indicated both that 

13 task could die by the memory corruption, and that also 

14 that one of side effects of that would be that this — 

15 for example, that task died, that many of fail safes 

16 would be disabled. And so the purpose of vehicle testing 

17 -- in the room, of course, we didn't the real hardware. 

18 We could simulate the operating system, we could simulate 

19 the task to a certain extent running on the process 

20 server but it wasn't on the circuit board and it wasn't 

21 in the car. 

22 And so that testing was to perform the same testing 

23 and demonstration to determine what the fail safes would 

24 do, if anything, in response to this task death. 

25 Q. So Mr. Louden ran multiple tests on the '08 and '05 
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1 Camry? 

2 A. That's correct. 

3 Q. And all looking at how the software task made out? 

4 A. That's correct. 

5 Q. Was that reported in some fashion? 

6 A. Yes. The testing that he performed, he used data 

7 logging equipment to record, you know, things like the 

8 accelerator peddle position, both sometimes outside the 

9 car, what it looked like, electrically. 

10 And also inside the computer there was a tool that 

11 we had from Toyota called a tech stream. He was able to 

12 monitor certain memory locations inside the computer log. 

13 Ran to see, for example, whether the computer thought the 

14 brake was pressed, in comparison to whether the brake was 

15 actually pressed and things like that. 

16 Q. Was the data that he collected from these tests 

17 compiled into some documentation that people like you 

18 could take and read and use? 

19 A. Yes, in Mr. Louden's expert reports. 

20 Q. All right. And have you reviewed the data and 

21 reports of failure relating to the test that was done on 

22 the '08 and '05 Camry? 

23 A. I have. 

24 Q. Have you considered that information as part of your 

25 analysis in this case? 
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1 

A. Yes. 

2 

Q. In terms of talking about, from this slide, memory 

3 

corruption and task death, have you pulled the piece of 

4 

the data from some of testing that helps explain what you 

5 

are talking about? 

6 

A. Yes. 

7 

Q. Is that the next slide? 

8 

A. Yes, it is. 

9 

Q. Let's look at that. 

10 

All right. The title here is Example of Unintended 

11 

Acceleration. The first thing I wanted you to do is tell 

12 

us what it is we're looking at. 

13 

A. Okay. So we're looking at a bunch of different 

14 

pieces of data all plotted together in one graph. And 

15 

just to generally orient you, elapsed time that is being 

16 

measured across the bottom in seconds. So this 

17 

particular piece of the graph begins at time 80 seconds 

18 

on his clock and ends a little bit after 150 seconds. 

19 

maybe 155 there. 

20 

And then on the vertical axis we see the speed of 

21 

the vehicle. He was measuring that in kilometers per 

22 

hour. And so we're seeing that in kilometers per hour. 

23 

I've made some notes here in miles per hour to make it a 

24 

little easier to understand. 

25 

Q. Is a plot of some of data that Mr. Louden collected 
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from some of his testing? 

A. Yes. 

Q. Can you walk us through it and explain to us what 
we're seeing here? 

A. Sure. I've tried to make clear what the different 
colors of the data mean. So for example, the speed of 
vehicle is this blue line. The throttle angle is 
measured here on this red line. And then there is, 
whether the brake is on and off is a binary signal, on or 
off. And so it looks like it goes way up to the top of 
the graph. It just really means the brake was not on, 
the brake was tapped and the brake is on solid. 

Q. Just so I'm clear, where we see these intermittent 
green lines, is that somebody tapping the brake? 

A. That's correct. 

Q. And when we see up here at the top, it's a long 
piece. That means the brake is applied at hilt? 

A. That's correct. 

Q. Okay. What were you simulating in this? 

A. So you can see there is a vertical line here at 

time, just before 100, maybe 98 seconds. And that is the 
marker for the point in time it tests when this task-X 
was killed and the mechanism of killing it was to flip 
one bit inside the operating system. So those working 
inside the Code Room indicated particular bit to flip to 
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Mr. Louden. 


2 Q. All right. Let me back up and ask you additional 

3 questions. In this testing that was done on the vehicle, 

4 was the test required to go in and simulate some 

5 occurrence in order to have task-x data? 

6 A. I'm sorry. I don't understand your question. 

7 Q. Did it have -- did the person that run the test have 

8 to make the task die? 

9 A Yes. So using the same tech screen, laptop 

10 basically as Toyota test equipment hooked up to the car's 

11 computer, he was able to simulate the bit flip. Of 

12 course we can't — you know, as scientists we want to 

13 test something, we need to be able to make it happen, we 

14 need to make it happen in no time. We can't just wait 

15 around for that particular bit to flip, which may take a 

16 long time. 

17 So he was able, using that same computer, to, you 

18 know, enter a command and cause that bit to flip. And 

19 then that would have the effect of killing that task in 

20 the vehicle. And then the rest of data is the data 

21 collection of cars's behavior around then. 

22 Q. Does he drive this car on the road? 

23 A. No. He's doing it on what's called a dynamometer. 

24 In Maryland, anyway, when you get your car's emissions 

25 tested you put your car on a dynamometer, where the front 


THIS TRANSCRIPT IS NOT PROOFREAD 



9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


wheels -- the drive wheels are turning and the car's not 
going anywhere. He had a similar arrangement. 

Q. All right. And so, this vertical line, I'm 
estimating, is somewhere close to 100 seconds into that 
test, he's able to, using a computer, to kill task-x? 

A. That's correct. 

Q. When you say kill task-x, what does that mean in 
terms of the car's operation? 

A. Well, the graph is showing that at that time you 
have of the | tasks alive, but you don't have this 
task-x running. And we're seeing what happens to the 
vehicle, which is a loss of throttle control subsequent 
to that. 

Q. And in a previous slide when you were talking about 
memory corruption, killing task-x and causing a UA, is 
that an example of that? 

A. That's correct. 

Q. Tell us what happen after the task was killed. 

A. After the task was — so the setup here with this 
particular test was that the car had been run in the 
time, obviously, before 80 seconds and using the 
accelerator pedal, Mr. Louden had gotten the vehicle up 
to this 68 miles an hour and he had set the cruise 
control. So now he had the car driving at cruise control 
at 68 miles an hour. 
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And then he canceled the cruise control and a little 
bit later here at this inflection point, the bottom of 
blue line, he hit the resume button on the cruise. So 
it'd try to go back to the speed of the vehicle that was 
previously set, which was about 68 miles an hour. 

So if it starts at — I didn't calculate there in 
miles per hour, but you can see the inflection point at 
the bottom in the blue, it starts below 68 miles an hour. 
And then of course, the car begins to accelerate because 
the car is operating normally. 

What happens is that the task death caused in this 
particular test. Because that task was not there when 
the vehicle actually reached the set point of 68 miles an 
hour, it should have closed the throttle more and slowed 
the vehicle -- or not slowed the vehicle, but kept the 
vehicle going at 68 miles an hour. Instead, the throttle 
remained open and the vehicle continued to accelerate. 

And you can see that this total length time with the 
throttle open, letting in air, and the car accelerating 
to past two and past the cruise set point, is 
approximately 30 seconds. So from time, about 100, until 
a time, about 130. 

Now, Mr. Louden, as I understand it, at this point 
got nervous at 90 miles an hour because the vehicle was 
on the dynamometer. And so at that time he pressed on 
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the brake solidly and continuously this whole time. 

There's a couple of effects you should be aware of 
because it was on the dynamometer. First of all, is that 
on a dynamometer, there is a lot of momentum in the 
dynamometer itself. So when he started braking there and 
a fail-safe, called a brake echo, kicked in, at that time 
the vehicle did not decelerate as fast as it would have 
on the road. 

But what we see here is that there was an unintended 
accelerate or a loss of throttle control that spanned 
from time 98 until about time 129 when he pressed on the 
brake solidly at that time. 

Q. You mentioned at -- was it at this point that the 
fail-safe kicked in with the brake applied? 

A. Yes. The -- at -- it would be within that, between 
that 129 and 130-second gap. 

Q. All right. So we see in some of these green lines, 
he just taps the brake and the fail-safe did not come on? 
A. Yes. That's correct. 

Q. All right. And now, this is also from the 2008 
Camry? 

A. Right. So this was the first testing that was 
performed was on a 2008 Camry. 

Q. You mentioned earlier that you had looked at other 
cases or been involved in other cases, correct? 
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1 A. Yes. 

2 Q. One of them was called Van Alfen? 

3 A. That's correct. 

4 Q. And I think the jury heard about that one. Another 

5 one was called St. John. Were you involved in that one? 

6 A. Yes. 

7 Q. In St. John, it involved a 2005 Camry? 

8 A. That's correct. Same model as this case. 

9 Q. In both cases, were you doing the same analysis that 

10 you're doing here? 

11 A. In terms of the overall analysis? 

12 Q. In terms of looking at UA? 

13 A. Yes. 

14 Q. And evaluating the software code? 

15 A. That's correct. 

16 Q. All right. Was Van alfen the first case in which 

17 you had an opportunity to perform this type of analysis? 

18 A. Yes, it was. 

19 Q. And in that case, did you write a report for the 

20 Court that outlined your opinions in that case? 

21 A. Yes. 

22 Q. And were St. John and Van alfen pending in what the 

23 judge has already told the jury, was an MDL or big 

24 federal litigation in California? 

25 A. Yes, that's correct. 
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1 Q. All right. And were both cases being supervised by 

2 one judge? 

3 A. Yes. 

4 Q. Judge James Selma? 

5 A. I don't know his first name. Judge Selma. 

6 Q. All right. Very well. After you wrote your report 

7 in Van alfen, did you come to realize that you had made 

8 an error relating to the brake echo? 

9 A. Yes. 

10 Q. All right. Tell me about that. 

11 A. Well, at the time that I wrote my report in July of 

12 2012, in the Van alfen case, I did not understand that a 

13 portion of this behavior that occurred right here was a 

14 fail-safe in the second CPU, in the minor CPU. And that 

15 was, in part, because Mr. Louden did not realize that the 

16 throttle had been cut at 129 there. He saw the engine 

17 stall at 132. 

18 And additionally, it related to some source code 

19 that I had been provided just in the final weeks of my 

20 report writing. And that -- I made an error in my 

21 analysis of that code the first time. 

22 Q. And once you realized there was an error, did you go 

23 back and look at it? 

24 A. Yes. As soon as I became aware of that, which was 

25 in late September of 2012, within 10 days or so, I issued 
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a supplemental report, reviewed the additional code and 
filed it in the same case. 

Q. So you ultimately corrected your error? 

A. That's correct. 

Q. And the source code that you were looking at when 
this error occurred, was that the source code from what 
we've called the monitor CPU? 

A. Yes. The ESPB-2 monitor CPU. 

Q. And in the time frame there where you were looking 
at it, had there been a delay in producing that software 
code from Toyota? 

A. Yes. 

Q. Was there also a problem with getting the proper 
tools, and I may be using the wrong word, to read it? 

A. You're not using the proper terms. The source code 
for that ESPB-2 chip, despite being asked for much 
earlier, had not been produced until about three weeks 
before my report deadline. That was about -- that was in 
late June. So that was about -- almost six months after 
the rest of the source code for the main CPU had been 
produced. 

And so I had -- while I was preparing, of course, my 
full report, which is about the same size, to analyze 
this new code that had come in, within about three weeks, 
and write a report on that. 
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And additionally, Toyota only provided the source 
code and they did not provide the tool that went with it, 
called the assembler. This code is written in assembly 
language, which is a harder to read human source code 
language, more machine-like. And they were using one 
that needed a special compiler called an assembler and 
they didn't produce that or it's user manual. And so I 
erred in my analysis on the basis of not having that 
manual or that tool. 

Q. All right. And it wasn't an error in reading the 
code. You just hadn't read that part of the code yet, is 
that right? 

A That's correct. The error related to something 
called a preprocessor directive which stemmed from not 
having the -- I made a logically reasonable decision and 
I consulted with my colleagues on making that decision. 
But without that actual tool we didn't have a definitive 

answer. 

Q. And did Judge Selma ultimately allow you to 
supplement your report? 

A. Yes, he did. 

Q. And did he ultimately conclude that part of the 
reason that you reached that error was due to a delay in 
production of software by Toyota? 

A That's correct. 
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Q. Is there anything else about this particular slide 
you wanted to tell us? 

A. Yeah. I just wanted to -- this is one example from 
the vehicle testing. And I just want a make a few points 
about and it foreshadows some of other things we're going 
to talk about. 

First of all, is that this testing, although it was 
done on a dynamometer, is representative of what would 
happen in the vehicle on the road if you resumed cruise 
control and task-x was dead at the time. It would exceed 
the speed of your planned -- you know, set speed. And it 
would not, in this particular scenario, begin to correct 
anything until the driver acted. 

So the driver would have to realize that the car had 
gone above the 68, maybe much above the 68. And then 
when he stepped on the brake an action was taken in that 
particular scenario. 

This testing confirmed that -- so this was related 
to cruise control. But we've also confirmed that during 
this time the accelerator peddle is not responsive. So 
there is two ways you can tell the car how fast you want 
to go, one is the cruise control buttons and one is the 
accelerator pedal. And neither of them works during this 
dead task-x time. 

The other thing is that this ended, this particular 
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1 test ended when the driver stepped on the brake. 

2 However, we have confirmed in other vehicle testing that 

3 I'll talk about later, that if the incident begins with 

4 the peddle, brake peddle pressed at all, even lightly, 

5 then the unintended acceleration will continue, 

6 potentially, forever unless the driver tries the risky 

7 thing of letting go of the brake while the car is driving 

8 away with him. 

9 Q. So in other words, if you're driving down the road 

10 and you put your foot on the brake to slow down, for 

11 whatever reason, during that time period task-x is where 

12 it actually dies, the vehicle starts to accelerate. 

13 You've got to actually back off the brake and try and 

14 catch it? 

15 A. That's correct. Which is both counter intuitive 

16 because your car is zooming away and you have to let go 

17 of the brake. And it's also dangerous because as you let 

18 off the pressure of the brake, at least you were applying 

19 some mechanical pressure, but as you let off the car 

20 speeds up. And so that may increase the risk in the 

21 short term, at least, before this fail-safe would take 

22 effect. 

23 Q. And your foot on the brake, as you described, and 

24 your vehicle begins to accelerate while you're coming 

25 back off the brake, does that actually give you the 
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impression that the vehicle was accelerating? 

MR. BIBB: Objection. Leading. 

THE COURT: Sustained. 

MR. BAKER: I'll move on. Your Honor. 

Q (BY MR. BAKER) Have we covered this slide? 

A. Yes. I think so. 

Q. All right. We talked about memory corruption. Is 
this talking about it in any particular way? 

A. Yeah. So we've talked about the memory corruption 
that can happen and we've talk about some of the effects 
that that can have. 

What this talks about is different ways that the 
corruption itself could happen, different types of 
software bugs, probably more detail than you wanted to 
know, but I wrote a whole chapter called software bugs in 
Toyota's code, and this slide summarizes the types of 
bugs that were found in Toyota's code that could cause 
bits to flip to memory tp become corrupt. 

Q. Could you describe each one of the for us as you 
have listed here? 

A. Yes. The first type of software defect is a buffer 
overflow. This is where you have a region of the memory, 
let's say 100 bytes of space that's reserved for a 
particular buffer storage area. 

If the software contains a bug that writes past the 
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100 bytes, say, 101 bytes, that will obviously override 
whatever is the next thing. I think Dr. Koopman gave an 
example where, you had a notebook and you got to the back 
of the notebook and you accidentally wrote on top of the 
other pages. It's that kind of thing where you have 
another variable or another thing being stored and your 
code accidentally overwrites it and now it can take on a 
new value. So that is a buffer overflow. 

Q. All right. What is — and do you find that to be a 
defect in the '05 Camry? 

A. Yes. The 2005 Camry code contains at least one 
buffer overflow. 

Q. Now, what's an invalid pointer? 

A. An invalid pointer D reference is if the -- quite 
technical. But if you have in one cell of your 
spreadsheet the information about the location of another 
cell in the spreadsheet. Let's say, on your spreadsheet 
it says cell E-5, a pointer is like that. In the source 
code it says, I'm not what you're looking for, but here's 
the address that you're looking for. That's a pointer. 

If you, instead of going to cell E-5 you 
accidentally to cell A-l because you've used the wrong 
pointer, then you will write over somebody else's memory, 
some other part of the source code. 

Here, the defect in the 2005 Camry is that there are 
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many places where pointers are de-referenced without 
checking them to be valid. And that is something that's 
important to do in the safety critical system, is to 
check that they are valid. 

So if, for example, one of those pointers became 
corrupt, then it would cause a chain reaction of 
additional damage to the memory. 

Q. What is a race condition? 

A. A race condition is a subtle timing bug. Toyota 
uses the term task interference, and on that basis NASA 
also refers to task interference. You heard about the 
10,000 global variables. You can imagine that one of 
those global variables is the balance in your checking 
account. Suppose there is two of you who each have a 
checkbook or checks from that account. If you are near 
the bottom of your bank balance and both of you write 
checks, you're going to end up with an overdraft 
condition in the bank, but also it's not clear -- there's 
a race it's not clear which one of you is going to get to 
clear the check and which one of you is going to get to 
balance the check. 

There's something similar that can happen in 
software which is that you have two or more tasks, like 
two tasks as having two checkbooks and they're both 
referring to the same both global variable or same cell 
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in that spreadsheet, and if they're both writing at close 
in time, they can actually step on each other's toes. 

And it could be that one of them gets its answer there, 
or the other one gets its answer there, or together they 
corrupt and damage it to create a third value. You don't 
get a check balance, in this case you get a corrupt 
memory. 

Q. And you found that defect to exist if the '05 Camry? 
A. Yes. 

Q. Nesting schedule or -- nested schedule or unlock, 
what does that mean? 

A. A nested schedule or unlock is a very bad thing. 

The use of -- it's complicated to explain again. I 
promise this is a last slide about these things. But in 
nesting schedule unlock is, one of the ways you prevent 
corrupting these data locations that are used by multiple 
tasks is you tell the operating system, hey, while I'm 
updating my checkbook balance, don't let the other -- 
it's like calling your friend and saying, don't write a 
check, I'm about to write a big check for the rent. 

That's a version of that in the software where you tell 
the operating system, while I'm doing this, don't let any 
other tasks switch and take over. Let me finish my job 
and then when I'm done then you can give the processor to 
someone else. You ask the processor please don't let any 
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other task to run until I'm done, and then briefly, maybe 
just a few instructions later you tell the operating 
system, okay, I'm done updating that variable, it's okay 
for other tasks to run. It's called a scheduler or 
locking. 

It is a bad practice that is in Toyota's code to 
lock the scheduler, tell the operating system to lock, 
and then a short time later lock it again. And it's 
particularly dangerous with the operating system that 
Toyota's using because when the first of those to finish 
unlocks, it's like someone going to a deadbolt on your 
front door and you lock, someone else comes along, locks 
it again, no change, right? But the first one of you 
unlocks it actually chances the security state. 

The same thing inside the operating system, if you 
have nested call to the operating system to lock, the 
first unlocker is going to create race condition. It's 
going to create an opportunity, a time window through 
which race conditions can occur. It won't happen every 
time. If it happened every time, it would get in the 
vehicle testing in Toyota's factory. It happens rarely 
because it's a subtle time-related bug. It depends on 
sort of the stars aligning in a bad way. And those kinds 
of bugs are exactly the kinds of bugs that I'm using to 
looking for and finding in imbedded software. And we 
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1 found those types of bugs in Toyota's code also. 

2 Q. Can any one of these cause memory corruption? 

3 A. Yes, any one of these besides themselves can cause 

4 memory corruption. 

5 Q. The unsafe casting? 

6 A So unsafe casting is where numerical values can 

7 become inadvertently rounded and take on new numeral 

8 values. Give you an example of this. One of the bugs 

9 related to this is in Toyota's code. It is possible for 

10 the software on the main CPU, although the actual car is 

11 supposed to have its engine move -- you know about RPMs 

12 and tachometer, the car is supposed to go from zero RPMs, 

13 revolutions per minute, to in this case a maximum of 6400 

14 RPM, that's the red line. We're above the red line where 

15 it will stop. And along the way there is all these 

16 different values of RPM. Well, those are okay in the 

17 software, but due to a casting bug it is Toyota's code, 

18 is is possible for that value to be become negative and 

19 there's something like 100 parts of the code, that look 

20 at the end engine speed and they could become very 

21 confused if the value went negative. And it could also 

22 become very large like 13,000 RPM which could confuse the 

23 software in a different way. 

24 Q. And last one stack overflow? 

25 A. So a stack overflow is a very dangerous problem 
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1 

where, it's like a buffer overflow but it's a very 

2 

special buffer. It's a buffer that all the tasks use to 

3 

keep traffic of their internal decision making and keep 

4 

notes for themselves about what they were doing when the 

5 

processor was taken away from them the last time. 

6 

And that stack is of a set size. In Toyota's it's 

7 

about four kilobytes, very small region, and if that 

8 

buffer overflows then you end up overwriting whatever's 

9 

beyond it in memory. 

10 

Q. All of these defects that you found in the '05 

11 

Camry? 

12 

A That's correct. 

13 

Q. And all of them can corrupt memory? 

14 

A. That's correct. 

15 

Q. Why is that memory corruption is so significant? 

16 

A. Well memory corruption is so significant because 

17 

it's a memory corruption that can cause a task death and 

18 

task death can cause in a general sense unpredictable 

19 

results, but in a specific sense, as with task X, cause 

20 

loss of throttle control and also a disablement of a 

21 

number of the fail safes. 

22 

Q. We talked about earlier some of your books. And one 

23 

of them was a dictionary. And was that an effort to 

24 

define certain terms that are used within the software 

25 

industry? 
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A Yes. 

Q. Is one of the terms that you defined in your book 
spaghetti code? 

A. It is. 

Q. Let's go to the next slide please. Tell me 
generally what spaghetti code means in your industry? 

A. Well, in a nutshell it means that the code is very 
difficult to read and maintain. You heard Mr. Ishii say 
that NASA had trouble reading Toyota's source code. That 
wasn't to do with them not following NISRA, it's because 
it was badly written and badly structured source code. 

And that's spaghetti. Code spaghetti code is -- I picked 
this picture of a very complicated electrical wiring 
intersection because I think it aptly demonstrates what 
spaghetti code is like. 

Now I have to look at source code and I'm looking at 
this variable name and this function name and things of 
that sort, but imagine your job was to go fix the phone 
line that's out at Apartment 12 in that configuration. 
That's what spaghetti code is like. And when you go and 
find it, you may disrupt or you might tangle two wires 
together and cause the phone service to break in another 
department. And that's what toyota's engineers are 
dealing with their source code and that's what they're 
referring to when they call it spaghetti like. 
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Q. When you say source code that is developed at one 
time and then you continue to add onto as time goes on, 
rather than starting anew, can you end up with a 
spaghetti code? 

A. Yes. 

Q. Do you have any idea if that's the case in terms of 
Toyota? 

A. Yes. 

Q. What did they do? 

A. The way I understand the progression with Toyota is 
mostly through what I see in the source code evolving 
from year to year, and also what I read, for example, 
from Mr. Ishii's deposition. I've read more of it than 
what I saw here. But he talked about the time frame. He 
was there the whole time. 

Initially they didn't have electronic throttle 
control, they didn't have an operating system, they 
didn't use the C programming language. They switched 
from assembly language to C. They added an operating 
system. They added electronic throttle control. And 
they were all the while increasing the amount of 
complexity and intertwinedness of all this source code. 

Q. You were here for Mr. **Something deposition this 
morning? 

A. Yes. 
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1 Q. And did you hear the discussion about one of the 

2 documents between NHTSA and the Toyota employees about 

3 updating the power train software? 

4 A. I did. 

5 Q. Have you actually reviewed that document? 

6 A. I have reviewed that document, that's right. 

7 Q. And in that discussion did Toyota employees refer to 

8 their software as spaghetti like? 

9 A. Yes. 

10 Q. And did you create a slide about that? 

11 A. I did. So these are all quotes from that document. 

12 Q. And here it discusses activities to improve the 

13 status like -- the spaghetti like status of engine 

14 control application were started, is that correct? 

15 A. That's correct. 

16 Q. Is this the type of software that's used to help 

17 control the electronic throttle control system based on 

18 your review of the document? 

19 A. Yes. 

20 Q. Is there anything else you want to point out in 

21 terms of this document? 

22 A. Well, the document refers to first of all that the 

23 power train engine code is -- which is another name for 

24 the UCM engine control module. That's where the power 

25 comes from. It also refers to other problems with 
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Toyota's process, such as that there are some of the C 
source modules don't have specifications and have 
specifications -- specifications or design documents that 
say how it's supposed to work. In some cases the design 
documents don't exist, and in other cases the design 
documents say something different than the code, so which 
is right? 

Q. All right. Let's go to the next slide. Are there 
several type of spaghetti code? 

A. There is two basic types of spaghetti in source 
code. One is what I'll call data flow spaghetti, that 
really refers to having all the different, you know, 
those couple of thousand modules, files of source code 
all being interconnected with each other, which is a bad 
architecture, through global variables. 

For example, so when NASA says that -- and I can 
confirm that Toyota's source code has over is 11,000 
global variables, they are saying that it is greatly 
intertwined in such a way that spaghetti — the data — 
if you want to follow a particular path, you know, where 
does the accelerator signal go, you have to trace through 
multiple files and multiple tasks to see where that data 
goes. And they're all linked together with these global 
variables. Some of which are 25, 30 characters long and 
some don't have vowels and some -- two of them are 
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identical, except one has a P and one has a D, or a P and 
a B. 

Q. And just remind us, what is a global variable? 

A A global variable is one of those ingredients in the 

recipe, but it's being used by multiple recipes. So an 
example of that would be the global variable that tells 
the combustion part of the software how wide open the 
throttle should be, should it be 10 percent open or 
should it be 100 percent open. That's a global variable. 

Another global variable is the one that I referred 
to earlier that keeps track of how fast the engine is 
going. Is it 2,000 rpm and 3,000 rpm. And when those 
are being referred to from multiple places, not only is 
it spaghetti, but also increases the probability of 
chance of race conditions and task interference. 

Q. Is there in your industry a standard for how many 
global variables you should use? 

A. Well, it's not an absolute science with that. 
Certainly, you should not be using 10,000. Certainly you 
should not be using 1,000. The academic standard, as Dr. 
Koopman said is zero. In practice a small number of 
global variables may exist in some well structured 
programs, but generally a very small number. 

Q. And what is the next type of spaghetti code? 

A. There is also control flow spaghetti. So here the 
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spaghetti that you have within a recipe, it's greatly 
internally obligated. That's like picking up a recipe 
book and you can't follow it. You can't figure out, you 
know, what am I baking at this point, what step am I on. 
That happens sometimes in source code when one function 
-- remember, we looked at function earlier, a larger of 
one function, instead of fitting on one PowerPoint slide, 
takes 20 pages of printout just to look at that one 
function, and inside there's all these different cases 
and ifs and tests and looking at this variable, looking 
at that other variable. It's like a very complicated 
recipe that you're not sure what you're going to get when 
you get to the other side. 

Q. You got down here at the bottom you talked about 
testability and then you talk about scoring of greater 
than 50. The greater than 50, what are you referring to? 
A. So, I wrote a report chapter called Toyota's code 
complexity in which we produced a large number of tables 
using some static analysis tools to tell us how complex 
is each function that's in the source code. So the tools 
give a score and it's based on the number of different 
ways you could possibly go through that function. The 
number of different sub recipes you might imagine. So 
the number of different possible recipes you can make 
from that one. 
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And this actually is something that is useful to 
software developers generally. If you are, like Dr. 
Koopman talked about going to a company and assessing the 
quality of their product. If you run a tool like this 
and it spits out code complexity numbers for each 
function that will direct you to the ones with the 
highest score are the ones most likely to contain bugs. 
And so if you're hunting a bug, one of the things you can 
do is go and clean up those parts of the code. 

And my organizations that I've consulted with 
maintain a practice where they will not release a product 
if it has a code complexity of any function bigger than, 
a typical number is 30. Toyota's code actually has 67 
functions that score over 50, which has been assessed as 
an untestable score. What that basically means is that 
this one little recipe within this bigger complex 
electronic throttle control system, just to test that one 
little recipe in the factory when you make the car, you 
would have to test at least 50 different vehicle states 
and software states. You would have to test all 50 and 
you would have to have a detail documented plan that 
said, here's what I'm going to do to test path one. 

Here's what I'm going to do to test path two. Test path 
three, et cetera. 

And there are actually design techniques and 
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processes called code coverage analysis. Where you try 
to make sure that the test you run on your product are 
actually going through every one of those lines of code 
and every one of those possible halves. I see no 
evidence that Toyota did that. And particularly not for 
these untestible functions. 

Now, within those 67, there are 12 in the 2005 Camry 
that have over 100, which is assessed at a level of 
unmaintainable, which basically means, if you read the 
papers, that above 100 it becomes so difficult to go in 
and fix a bag, that every time you fix bag, you make a 
new bug. So you've got this very buggy code, it's hard 
to test, and you go in and make a change and you break 
something. 

And one those 12 unmaintainable functions is the 
approximately 1,300 line functions that performs the 
calculation of mathematics to decide how open to make 
that throttle. And that's an area that NASA was very 
interested in, and in fact tried to simulate and could 
not simulate to its satisfaction and found that Toyota 
not only did it not have a test plan to test all 146 
paths through there, but did not also have a simulation 
of it like NASA wanted to run. 

Q. Throttle angle function, is that the function that 
determines how open the throttle's going to be while 
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1 you're running the car? 

2 A. That's right. That's the function that takes as its 

3 input the accelerator contribution, the cruise control 

4 contribution, the idle speed contribution and all the 

5 other subtle ways that the throttle need to be trimmed 

6 are all taken into account in that. To produce one, 

7 ultimately one angle, like 50 percent or 30 percent. 

8 Q. Does that function have to work with task X in order 

9 to run the car? 

10 A. Yes, that function is executed by task X. It's 

11 among the kitchen sink of things that it does. 

12 Q. Let's go to the next slide. You mentioned stack 

13 analysis earlier, is this a more detailed explanation of 

14 that problem? 

15 A. Yes. We're going to talk about stack. 

16 Q. Let's start at the top? 

17 A. Okay. So we did an analysis of Toyota's stack. And 

18 the first thing I should probably explain is what a stack 

19 is. So I mentioned that that if these tasks and 

20 they're switching back and forth taking turns with the 

21 processor, the stack is both how when we are running they 

22 pass information from one recipe to another. If one 

23 recipe calls larger of -- to compute the larger two 

24 numbers, it passes information through the stack and gets 

25 the results back through the stack. 
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But then also it holds that information on the stack 
in memory in that area temporarily while the processor 
runs a different task and then switches back. And so 
this stack is a very important data structure that is 
used by all the tasks. And the operating system allows 
them to use it. 

And the programmers have to pick the size of it. It 
has a finite size. It's just block of memory, contiguous 
block of memory. 

So actually in Toyota's design for the 2005 Camry 
there are two stacks. One is a stack on the right that 
is specific to task X; the other is a stack on the left 
that is for all the other tasks. And also there is also 
something called interrupt service routines. Kind of 
like tasks, they complicate my explanation, so I'm mostly 
ignoring them, but they are abbreviated ISR for interrupt 
service routine. And you see those reflected there as 
well. 

And so what you have on the left is a depiction that 
every moment in time in the car's operation the stack has 
a fixed bottom address, and some processor and some 
designs it's zero in memory, and then is has a fixed top 
address or end address. And in this case I've depicted 
it as growing up to 4K, 4096 bytes, and then it also as a 
current address or a stack pointer, which points to where 
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the system is on that. 

And so we performed an analysis called a worst case 
analysis, which is a process whereby we assess if all the 
tasks are using the stack simultaneously, which can occur 
from time to time, will they explode beyond the stack 
potentially and overwrite what's passed it. 

NASA was interested in this subject and Toyota 
provided them an answer, which was that the stack was 
only utilized at a worst case of 41 percent, 1,688 bytes. 

What Toyota didn't know apparently, and NASA 
understood, is that -- NASA misunderstood therefore, is 
that the actual worst case is 94 percent. And that's not 
including something called recursion. NASA's spent a 
great deal of time talking about Toyota's use of 
recursion, and which could because the stack to overflow. 

And in fact, we don't know how much memory could be 
consumed by the recursive function — recursive function 
is a recipe that culls itself. Like in order to compute 
the larger of 67 an 65 let's cull ourselves on the larger 
of 66 and 65. That's not how that function works, but if 
you can imagine if it culled itself, it could do it many 
times. And there are some recursive functions in 
Toyota's source code, which is not appropriate in a 
safety critical system. 

And the NASA report reflects that inappropriateness. 
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but NASA did not realize that the recursion was on top of 
94 percent. They thought it was on top of 41 percent. 
Making matters worse, if the stack overflows in the 2005 
Camry, the next thing in memory is the critical data 
structures that are not protected inside the operating 
system. To if you have a rare stack overflow, the first 
thing that is going to get damages are those 3 by 5 cards 
that tell the operating system what to do. 

Q. So if in using this the tasks end up running past 
the allowable memory, it then moves into what memory is 
being used by the operating system? 

A. That just keeping on scribbling. 

Q. Does it overwrite things that are going on with the 
operating system? 

A. Right. Those are the critical data structures like 
the three tears of keeping track of what's going on with 
each task and which task to run next. 

Q. Does that cause memory corruption? 

A. Yes. Obviously, the stack overflow itself causes 
memory corruption. The corrupted data is this 
unprotected operating system data and a side effect of 
that can be task death. 

Q. Is there any other information we need to know about 
this slide? 

A. Yes. Specifically recursion violates a MISRA C 
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rule. So had Toyota followed MISRA-C, which is an 
automotive industry subset of the C language that's safer 
and specific for the auto industry. 

In 1998 that standard had a Rule No. 70 called — I 
don't remember the exact language. But function should 
cull themselves. And the rules basically are the same in 
2004 but they changed the numbering system, so in the 

2004 standard this rule, same rule is No. 16.2. So this 
is a violation of the MISRA C rule. 

Q. Does the violation of this rule related to 
unintended accelerations? 

A Yes. 

Q. In what way? 

A. The stack can overflow due to this recursion in the 

2005 Camry. 

Q. And create memory corruption? 

A. And that would create memory corruption, that's 
right. 

Q. What was NASA's view about this recursion? 

A So NASA's view, NASA was concerned about stack — 
possible stack overflow. They had a couple of pages 
devoted to it, about five pages. I pulled some quotes 
here. Recursion could exhaust the stack space leading to 
memory corruption and run time failures that may be 
difficult to test -- detect in testing. The question 
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then is how to verify that the indirect recursion present 
in the ETCS-I does in fact terminate and does not cause a 
stack overflow. 

And then the third one, the CVO in the ETCS-I does 
not have protective memory and therefore a stack overflow 
condition that cannot be detected precisely. Overflow 
would cause some form of memory corruption. And I should 
just stop there. 

When is NASA referring to protected memory here, 
they're not referring to EDAC, they are referring to 
something called run time stack monitoring, which is a 
technique that software developers use to make sure that 
-- it's like a flood marker on a river. When the river 
rises and gets to the flood mark, you know there is going 
to be trouble and you start activating. 

The same thing is a technique that is well-known and 
used for a long time by imbedded software developers, 
which is you make an area of the stack that you watch and 
you see if it gets corrupted. a common thing to do is 
write all ones to it, or some binary pattern, and you 
have a part of the software that is monitoring to see of 
the high watermark has been breached. And if it is, you 
know that you might get into dangerous uncertain 
territory, and so you can do a safe shutdown or reset the 
system to get past that. 
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Q. Is it the memory corruption that's talking here 
about that can cause an UA? 

A. That's correct. NASA didn't know that the memory 
just past the stack was the operating system, as far as I 
know. 

Q. Are we through with this? No. 

A. So NASA also says it's not clear what impact 
incursion has with respect to the larger UA problem. 

There are other sites of recursion that we haven't and 
analyzed. 

Q. So they just didn't look at it? 

A. They looked at some, they took Toyota's word on 
some, and they didn't analyze the rest. And NASA didn't 
ever know that there was so little safety margin. So 
Toyota's answer to NASA about incursion included that 
they had -- Toyota said they had added an extra margin of 
safety more than double the 41 percent. So Toyota's 
answer to NASA is, don't worry about it, we've added a 
margin of safety of more than double. But the truth is 
that margin is not there. And toyota itself didn't even 
realize this. 

Q. Let's go to the next slide. And we talked a little 
about the some of the things you found. What are some of 
the stack mistakes? 

A. So the first big mistake that Toyota made here, is 


THIS TRANSCRIPT IS NOT PROOFREAD 



40 


1 that — and this is why it's not 41 percent, it's 94 

2 percent. Is because Toyota didn't do a thorough 

3 analysis. When they did their own internal analysis of 

4 the stack to come up with the number 1,688 bytes, they 

5 missed a bunch of stuff. 

6 The one that accounts for the most extra bytes is 

7 the operating system itself. The operating system, every 

8 time it's switching from one task to another, it stores 

9 data on the stack, so you can't just add up the worse 

10 task themselves, because when they are running or all is 

11 have stuff on the stack, you also have all the operating 

12 system changeovers between them, as well as interrupt 

13 service routines. And Toyota missing that is the biggest 

14 factor in why it was 94 percent, not 41 percent. But 

15 they also missed about 350 functions. They had some 

16 mistakes in their attempt to automating the rest that we 

17 found as well. 

18 So actually the 94 percent is the most we found. 

19 It's possible that the stack could go beyond that as 

20 well. 

21 Q. Let's go to the next one. 

22 A. On top of that Toyota used dangerous recursion. So 

23 I showed some quotes from the NASA report. Here's 

24 another quote form the NASA report. It says, "Absence of 

25 recursion is standard in safety critical imbedded 
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1 systems." And I would agree with that. It is not 

2 appropriate to recursion. And MISRA and NASA and I and 

3 Dr. Koopman all agree on that. 

4 Q. But Toyota has it? 

5 A. Toyota has it in the 2005 Camry, that's correct. 

6 And finally, Toyota didn't perform run time stack 

7 monitoring. This, by the way, is in the cheaper 2005 

8 Corolla that was supplied to Toyota by an American 

9 supplier named Delphi, which is different than Denso, the 

10 Japanese supplier. So Denso is supplying 2005 Camrys and 

11 it doesn't do any run time stack check monitoring, but 

12 Delphi is supplying 2005 Corollas because at the time of 

13 partnership of the Corolla being manufactured with GM in 

14 California. Delphi supplies that and Delphi one, 

15 although it has many defects as well, the stack overflow 

16 is not a possibility in that particular design, as I 

17 understand if. 

18 Q. Okay. Next line? 

19 A. Toyota also failed to comply with a number of 

20 standards, including the standard for its own operating 

21 system. So it used an operating system that it got from 

22 its chip vendor NEC. They supplied the processor and 

23 they also supplied an operating system called RX OSEK 

24 350. The processor is the V850, this was an operating 

25 for that processor called RX OSEK 850. OSEK is a 
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reference to an international standard API, which is a 
programming interface. It's kind of a software term that 
means how you control the operating system. What the 
function names are and things like that. 

At any rate OSEK came out of the automotive industry 
in Europe and this was -- a market was created where 
multiple operating system suppliers could provide 
compatible operating systems. So that from the auto 
maker's point of view, they could switch from one to 
another and they would still be using a version of OSEK. 
And the idea being that those operating systems would 
then compete on quality, compete on the price, et cetera. 
And in order to make sure that the car maker's code would 
work on any one of these, there were a set of compliance 
tests set up to make sure it was truly an OSEK. 

And only operating systems, when you read the 
documentation, that have been tested are supposed to have 
OSEK, they are supposed to say OSEK is a trademark and 
that sort of thing, so they are supposed to be tested. 

We found that the one that Toyota used was not in 
compliance at all. And actually, at that time, by 2002 
there was a compliant OSEK available on the market for 
that very processor, but Toyota for reasons unknown to 
me, chose to go with one that was not certified as 
compliant. 
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1 Q. This particular operating system RX OSEK 850, is 

2 that also included in some of the other vehicles you 

3 looked at, like the Lexus ES, certain model years 

4 Toyota's V6 Camry? 

5 A. That's correct. 

6 Q. Let's go to the next slide. 

7 A. Toyota also failed to comply with standards, and 

8 here we heard from Dr. Koopman about a higher level 

9 concern about safety process. That's not what I'm 

10 referring to here. Here I'm talking about, for example, 

11 the MISRA C guidelines. 

12 Q. That is the smaller book, right? 

13 A That's the smaller book that is very specific on the 

14 C programming language. So the big book says you should 

15 use a documented subset of a language that is safer. And 

16 the little book is those -- that subset, those 

17 instructions. 

18 And by 2004 when they updated this, they wrote in 

19 the book that this was being widely adopted in multiple 

20 industries, they didn't expect it to be used outside of 

21 automotive, but they are very happy it was. And also 

22 that in 2004 when we were updating it, or prior to that, 

23 they had worked with the Japanese equivalent of what here 

24 we call the Society of Automotive Engineers, which has 

25 standards and has conferences for automotive engineers. 
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obviously. That is the Japanese Society of Automotive 
Engineers and the Japanese Automobile Manufacturers 
Association. They participated in the drafting of th 
second version of this. And indeed, one of Toyota's own 
employees was thanked in the contribution. 

Q. That was put out in 2004? 

A Well, the original standard was in 1998. 

Q. And are you talking about, does that relate to the 
original one, or the one that came out in 2004? 

A. Well, the 1998 one was the first version that MISRA, 
Motor Industry Reliability Association of the United 
Kingdom published, and then these comments from the 2004 
addition of that. 

Q. And in the review of what Toyota had done did NASA 
fine any violation of these codes 

A. Yeah, NASA found a number of violations of MISRA 
rules. 

Q. Did you find violations? 

A. Yes. NASA looked at about 35 of the rules. There's 
in total, I forget the exact number. It's basically the 
same set of rules in 1998 and 2004. But as I recall, 
it's over 100 rules total. NASA looked at 35 of them and 
they found over 7,000 violations, and they reported that 
on page 29. 

I checked the full set. There were a couple that 
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were difficult to test, but basically the full set and 
found more than 80,000 violations in the 2005 Camry. 

Q. There was also a discussion about compliance with 
MISRA rules that we heard from Mr. Ishii, I think he said 
something like maybe 50 percent of compliance of used 
MISRA rules. In your code review did you find that to be 
true? 

A. No. 

Q. Was did you find? 

A I actually wrote on whole report on Toyota's coding 
standard in one of my chapters, and what I found studying 
their coding standard was that actually -- the MISRA 
rules are over 100 rules and the Toyota rules — I have 
an appendix that lists them all -- I think it's about the 
same number, about 100, maybe 119, but only 11 of 
Toyota's coding standard rules overlap with the MISRA C 
rules. And interestingly, five of those rules are 
violated in Toyota's code. 

So when they say 50 percent overlap between the two, 
our rules and MISRA rules, no. 

Q. Do you know the percentage on how they actually 
match up? 

A. Just different ways of calculating the percentage. 

I couldn't make any come anywhere near 50 percent. They 
moistly shake out around 10 percent. 
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Q. Did you also review some work done by a Toyota 
employee names Mr. Kawana related to his development of 
how to look for bugs in software related to rule 
violation? 

A. Yes, I did. 

Q. Tell us about that. 

A. So there is a paper by Mr. Kawana that was presented 
in Detroit in 2002 and also a presentation that was made 
in San Diego in 2004. They both contained this bug 
chart, so I pulled that slide from the presentation in 
San Diego. And this is showing that in Mr. Kawana's 
view, and these slides are also bearing the Toyota logo, 
it's reasonable to estimate the number of bugs using the 
number of violations. And the standard he looks at — to 
for what's a violation is MISRA C. And this is the same 
Mr. Kawana who I see thanked in the MISRA 2004 documents, 
so he was clearly participating in the update of MISRA in 
some fashion, and around the same time he has presented 
this at an automotive industry conference that suggests, 
at least to me, not knowing otherwise, that Toyota is 
complying -- that Toyota's viewing MISRA C as a 
appropriate — the number of violations in MISRA C an 
appropriate way to estimate the number of bugs still in 
the code. It's called bug population estimation. People 
do the same thing with counting fish in a pond. You can 
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do things like count some and mark them and throw them 
back. There's different ways of doing estimation 
techniques of how many fish are in the pond. Here's a 
technique that industry can use to estimate how many bugs 
there are out there. But this is based on the 2002 paper 
on past Toyota projects. 

Q. This is Mr. Kawana's bug chart? 

A. That is Mr. Kawana's bug chart. 

Q. And on this bug chart they've got 30 rule 
violations. Does that indicate that you do have bugs? 

A. Yes. In his calculations, there's 30 rules 
violations, there will be one major bug and ten minor 
bugs. 

Q. There's also been testimony that -- and you heard 
part of it from Mr. Ishii that Toyota had its own 
internal coding standards? 

A. I did. 

Q. Have you reviewed some of those standards? 

A. Yes. 

Q. In your review of the source code, were you able to 
determine I some of those were violated? 

A. Yes. 

Q. Let's take a look at that? 

A. So Toyota maintained an internal set of coding 
rules. They may have had multiple coding rules, but this 
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coding rule was specifically for 32 bit processors, which 
is what's in the V8 50 main CPU, written in the C 
language for the power train. So it's referring to the 
ECM that I analyzed code for. 

And what I found is that, first of all, Mr. Ishii's 
statement that 50 percent of them overlap with MISRA is 
way off. I also found that at least about a third of 
Toyota's own coding rules are violated. So they weren't 
enforcing their own rules. 

Q. Would that have been the source code for the 2005 
Camry? 

A. It was the source code for the 2005 Camry. And 
that's all documented in my chapter on the Toyota's 
coding standard. 

Q. All right. What's next? 

A. So, the whole point of having a coding standard, 
whether you choose to adopt MISRA or write your own is to 
follow it. What good is a rule that is not followed? 

And so it's actually the enforcement part of having the 
rule that's important. 

What I see is Toyota had a standard specifically for 
this system, they had various suppliers, including Denso 
contributing to this system, and themselves, but nobody 
was enforcing this standard at all. And that to me, 
based on my experience consulting in industry indicates a 
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lack of rigor or engineering discipline within Toyota. 

Q. What's next ? 

A. This is actually part of a larger pattern that I've 
seen through the documents that I reviewed, through the 
source code that I've reviewed, et cetera, which is that 
Toyota didn't do things that I would have expected them 
to do, and doesn't have documents and paper to prove that 
they did those things. I would expected them to produce, 
if their -- if my software was challenged, is there a bug 
in your code, I would expect to produce, here's the 
database of all the bugs that passed, found and fixed, 
who fixed it. That's how these bug databases work. How 
long it was known about before it was fixed, which ones 
we haven't found yet. You know, some of those might turn 
up later. They don't have that. There's testimony 
about that as well, that they don't have that. 

They also do inadequate peer code reviews. So you 
heard Mr. Ishii say we look at some of the code some of 
the time when we're interested in it, but they don't look 
at all the code all the time. And peer code reviews is 
something that's a known, good, cheap way to find bugs. 

I wrote the code or change it, you look at it. You look 
over my shoulder. Just like an editor would do on a 
document. That's all code review is. It can be formal 
and it should be formal in a safety critical system, so 
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1 there should be a paperwork trail that says on this date 

2 we met, reviewed this module, we found these three bugs 

3 or potential bugs, and we expect those to be fixed. And 

4 this paper trail will make sure that they get fixed. And 

5 that's how it should work. 

6 Q. Based on a lack of systematic processes you 

7 described, have you reached an opinion on whether this 

8 software is defective? 

9 A. Yes. 

10 Q. What's your opinion? 

11 A. In my opinion is that this code is a unreasonable 

12 quality and defective. 

13 Q. You mention down here there is no bug tracking 

14 system? 

15 A. That's what I talked about a database of all the 

16 bugs that have been found and fixed. It doesn't 

17 necessarily have to be a database, it could be a 

18 spreadsheet, but there should be some system in a company 

19 that's making safety critical vehicles that says, yeah, 

20 that odd behavior that was observed down in the lab 

21 yesterday, or on the track yesterday, let's assign some 

22 engineer to look into it, see what happened. Find the 

23 bug. Or if there's not a bug, explain it. 

24 Q. Does Toyota agree there's bugs in the software? 

25 A Yes. So I think this was in Mr. Ishii's testimony 
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1 yesterday. When it comes to software there are going to 

2 be bugs. 

3 Jumping to the end, so the issue is not whether or 

4 not there is a bug, but rather is the bug an important 

5 material bug. And indeed, there are not only bugs but 

6 there are also important material bugs in Toyota's code. 

7 Q. Based on what you heard from Mr. Ishii has Toyota 

8 ever checked to see if a bug would stick the throttle 

9 open? 

10 A. Mr. Ishii said he's never looked for one and he's 

11 not aware of one. 

12 Q. Did NASA have concerns about software causing UA's 

13 in Toyota's throttle? 

14 A. Yes. 

15 Q. And did they look at it? 

16 A. So this chart shows a bit of the methodology that 

17 was used by NASA. So, this is what's called a fishbone 

18 diagram. And so the idea is that, is there a way -- this 

19 is asking a question -- is there a way that unintended 

20 acceleration can be caused by a software error. And then 

21 they are enumerating through branching the possible ways 

22 that could happen. 

23 And so, for example, there could be a bug in the 

24 throttle algorithm, and that would be an example of a 

25 coding defect or error in the recipe. That if happened 
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and it related to US, could cause UA, and then NASA broke 
out other things, other things that could happen. For 
example, they talk about task interference or race 
conditions, and they talk about not having protections 
against faults like bit flips. And then the trace back, 
well, what would cause that bit flips, data corruption, 
communication faults, timing faults, et cetera. 

And the idea is that if one of these root conditions 
can occur and is not blocked by something upstream, then 
it's a possible cause of UA. 

Q. This document we're looking at, this diagram, is 
this one you created? 

A. No, that's -- it's from NASA Appendix B pages 36 to 
39, is that part of the analysis. I included multiple 
pages because there they describe their thinking and 
rationale on each of those sub bullets. 

Q. So NASA was looking for the exact same thing you 
were looking for? 

A. That's correct. 

Q. Go ahead? 

A. And these are examples of things we found. So 
putting it in NASA's terminology, and NASA's chart, the 
defects I've described fit into these coding defects, 
task interference, insufficient fault protection, data 
corruption paths. 
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1 Q. And in terms of the memory corruption we've been 

2 talking about, does it fall into these categories? 

3 A. Yes. So specifically memory corruption over here, 

4 combined with insufficient protection against memory 

5 corruption, can lead to a UA. 

6 Q. All right. There will be some discussion by Toyota 

7 in this case about layers of safety and safety items -- 

8 fail safes they put in their system to catch what we all 

9 term as UA, is that right? 

10 A. That's correct. 

11 Q. Have you examined some of those areas to explain 

12 where there may be a the gaps you talked about earlier? 

13 A. Right. So the important thing from a safety point 

14 of view is not, we have 12 fail safes, or we have four 

15 fail safe layers, it's are there any gaps in them. 

16 And so these are the layers as I see them and 

17 understand them from Toyota's documents and reports. And 

18 for each of them, each of these layers I wrote a specific 

19 chapter where I analyzed that part of the system, 

20 documented what I found, documented if there were any 

21 defects in the fail-safe or layer, and also if there were 

22 any holes that could allow something to get through these 

23 layers. 

24 Q. So now we're going to look at each one of these 

25 layers and have you explain the defects? 
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A. Yep. 

MR. BAKER: Your Honor, I don't know when you 
want to do an afternoon break? 

THE COURT: Let's go till three. 

Q. (BY. MR. BAKER) Let's go to the next slide? 

A. So I've sort of put these in order. So layer one is 

first. 

Q. Mirroring of critical variables. Tell me what 
mirroring means? 

A. So mirroring is like having two cells that have the 
same value sort of in your spreadsheet. Technically, if 
you just have exactly the same value, I would refer that 
as echoing, with -- you have an echoed copy. Mirroring 
is slightly stronger than that, and Toyota generally uses 
mirroring, which is, mirroring is you also flip all the 
bits. So you have two copies of the thing, but if they 
were next to each other and they both clobbered to zero, 
they wouldn't match, because one of them being zero 
should make the other one be all ones. So it's an extra 
layer of protection. 

And so the best protection for mirroring is keep 
them apart in memory, do something like flip all the bits 
in one versus the other. So that when you write to it, 
you write both. And when you read from it, you read 
both. And if they don't match when you read it, then you 
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1 know that something has gone wrong and you can't trust 

2 that value. 

3 Now, depending on how important that value is, it 

4 could be that you just use a default value and continue 

5 on. Or it could be a very important value like the 

6 throttle command, 10 degrees or 100 degrees -- or 100 

7 percent, and in that case then you might do something 

8 different than just use a default value. 

9 Q. So this is a technique that Toyota engineers have 

10 used? 

11 A. Yes. 

12 Q. Did they use it correctly? 

13 A. Toyota used mirroring to protect thousands of 

14 variables. And they did it generally correctly. I'm not 

15 going to speak for all thousands of them. But they did 

16 it generally correctly with respect to those. The defect 

17 is, they missed some of the critical variables. 

18 Q. Tell me about those variables? 

19 A. So one example we've already talked about is the 

20 internal data structures within the operating system. 

21 They missed it because they never looked at the operating 

22 system. They got this operating system in binary from 

23 their chip supplier and they never looked inside it to 

24 see what was in there. 

25 Now, if you're designing a FDA regulated medical 
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product, there are guidelines and you are instructed if 
you're building this insulin pump or pacemaker and you 
decide to use an operating system or other third party 
software, you need to audit that as well. Toyota didn't 
do that here. And that is one of the reasons I believe 
that they missed mirroring within the operating system. 

Q. What about the target throttle angle global 
variables ? 

A. Yeah, there is a number of other variable that 
aren't mirrored, but the one that is really interesting 
from this point of view, from our discussion is that the 
target throttle angle, the one that says 10 degrees or 10 
percent or 100 percent, 10 percent or 100 percent power, 
so not mirrored. 

Q. So there's not -- there is nothing that's got that 
data stored like — it wouldn't be mirrored? 

A. There's no second copy of it. Not echoed, either. 

Q. So if the first copy is corrupted, it's corrupted? 

A It's the only copy. 

Q. And why it that important? 

A Well, it's important because if you -- if a software 
corrupts and changes that throttle command, the rest of 
the software just sees a number in a particular cell in a 
spreadsheet. It doesn't distinguish or know that it's 
not a command from the driver or a correct calculation of 
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1 what the driver wants and what the engine wants, not to 

2 stall, all those things. So if it suddenly changes from 

3 10 percent to 20 percent, is that coming from the driver 

4 pressing on the pedal or is that coming from the software 

5 changing it? 

6 Q. Have you got an example? 

7 A. Yeah. Let me walk you through the process here. so 

8 the way their design works is that you have the 

9 accelerator pedal, which is being read by task X, and 

10 then it writes the calculated value, that very complex, 

11 code complexity of 146 unmaintainable function, it 

12 chooses a value. I put here as an example 20 percent of 

13 throttle. And then it writes it into a memory location. 

14 a 16 bit or two byte memory location. 

15 Q. An unmirrored bit? 

16 A. That's correct. It's an unmirrored 16 bit location. 

17 Q. All right. 

18 A. And then the next thing that happens is another part 

19 of the software comes along and reads it and it says, oh, 

20 it says 20 degrees, 20 percent. And so its job is to 

21 open the throttle to 20 percent. And that's actually 

22 kind of complicated because you're trying to move 

23 something mechanical and the software to trying to do it, 

24 so you're pushing on electrons, and the electrons are 

25 pushing on the motor and the motor is opening to the 
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right amount. 

Q. So how can you have a UA from memory -- 
A. So, for example, if task X died and stopped writing 
to that location, and the unmirrored throttle command was 
set to a larger opening, the other part of the software 
is just going to pick up the new value and open the 
throttle. 

Q. Whether that is a correct value from the 
accelerator? 

A. Whether that's a correct value from the accelerator 
or not. 

Q. Go to the next line? 

A. So this says in words what I just said, which is 
that the death at task X causes the loss of throttle 
control, accelerator pedal doesn't work, cruise control 
doesn't work. 

Q. What else? 

A. This motor control task, and it's not just one task 
it's more complicated than that, I'm just simplifying it 
here for my explanation, but that motor control task 
keeps driving the motor -- and by motor here, I mean the 
motor that moves the throttle, it's the part that turns 
the knob on the water valve. And so, either if task X is 
dead, you can get a stuck throttle, which is the last 
calculated command, or the last computed one over here. 
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1 or it can change it to a corrupt value through an 

2 additional memory corruption. 

3 Q. So if you have a memory corruption of the throttle 

4 angle variable that you just showed in your last slide 

5 and then have a task death, what can happen with the 

6 number that is sent to the computer to turn the throttle 

7 to? 

8 A. Well, then it can become any number between zero 

9 percent and 100 percent. 

10 Q. Is there any cap on the actual amount? 

11 A. Well, the throttle physically, technically it opens 

12 between degrees and degrees. Whereas 90 degrees 

13 basically would represent no blockage of air flow. And 

14 so degrees is slightly less than 100 percent. You can 

15 never really get 100 percent. And even when you close 

16 the throttle, you're usually not blocking all the air 

17 flow or else the engine would stall. So you're somewhere 

18 between about six degrees and maybe sometimes lower when 

19 you're idling, and about 95 percent of what you can get. 

20 Q. Does the task death of X in that scenario involving 

21 the throttle angle variable have to occur first or after 

22 the memory corruption of the throttle angle variable? 

23 A. If they are close in time, the two memory 

24 corruptions are close in time, it could be an either/or. 

25 If task X was dead for a while though and then the second 
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1 memory corruption happened some time later, then it could 

2 also happen that way. 

3 So if the two corruptions happen close in time, 

4 which is likely when you have memory corruption, often 

5 it's not just a single -- when it's a software bug or 

6 even hardware bit flip, it can be ricochet and bounce 

7 around like a bullet inside, and so it can cause 

8 multiple memory locations to be damaged. And so that can 

9 begin small and grow over time. And so, if they both 

10 happen right about the same time, it could be that the 

11 throttle command is corrupted first and then the task 

12 dies. But there's more time opportunity the other way. 

13 Q. Can the throttle angle variable be corrupted through 

14 a hardware malfunction and a software malfunction? 

15 A. It could be -- by itself, it could be corrupted by 

16 either one, that's correct. 

17 Q. What's next on this slide please? 

18 A. So this is just memory corruption can propagate from 

19 one to another. You can think of it as shotgun pellets 

20 bouncing around inside the memory, flipping some bits or 

21 changing whole bytes -- 

22 Q. And in this scenario, can the throttle angle go to 

23 any number? 

24 A. Yes. 

25 Q. All right. And have you done a diagram to kind of 
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1 explain this? 

2 A. Right. So I put the previous graph together and I 

3 said, okay, on the left side we still have task X but 

4 it's no longer monitoring the accelerator or the driver 

5 controls, because it's dead and its death has not been 

6 detected. And then now I drew a vertical bar or a line 

7 showing that it's no longer ever writing to this global 

8 variable that's not mirrored. And so a memory corruption 

9 there changes it from, say, 20 percent of throttle to 50 

10 percent of throttle. 

11 Q. Are you just using that as an example for your chart 

12 here? 

13 A. Purely illustrative. 

14 Q. What happens next? 

15 A. And then the motor control task not knowing that 

16 task X is dead, interprets this command as 50 percent as 

17 coming from the accelerator through task X, or from the 

18 cruise control through task X, or something else through 

19 task X. 

20 And so now, it's just going to drive the throttle to 

21 50 percent open, and you're going to get more engine 

22 power. 

23 Q. In this example, do we have a task death? 

24 A. Yes. 

25 Q. Do we have a memory corruption? 
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A. Yes. 

Q. We have the computer setting the throttle at some 
angle, 50 percent here in your example? 

A Correct. 

Q. Is that 50 percent in this example set by a 
malfunction in the software? 

A. Yes. 

Q. Is it unrelated to where the driver in your example 
is moving the pedal? 

A. That's correct. So there's a disconnect now between 
that vertical line between the accelerator and what the 
throttle is doing over there in the engine. 

Q. Well, we just talked about failsafes. What happened 
to the failsafes? 

A Well, the failsafes are the monitoring -- that are 
left, are monitoring this portion over here and saying 
the throttle's open halfway in voltage, electrical terms, 
and the command is for it to be open halfway. Those 
failsafes don't know that task X is dead because they 
haven't detected it, and task X has taken some of the 
failsafes down with it that would have known about the 
driver's intent. 

Q. Are some of those failsafes or the activation of 
those failsafes task X? 

A. Yes, most of the failsafes on the main CPU are in 
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1 task X. 

2 Q. So when it dies, what happens to the failsafes? 

3 A. When it dies, they don't run and so the failsafes 

4 don't run. 

5 Q. All right. And we talked earlier about a situation 

6 where something like this would happen and then somebody 

7 would step on the brake? 

8 A. Correct. 

9 Q. What would happen then? 

10 A. So if somebody steps on the brake here in this 

11 scenario? 

12 Q. Yes, sir. 

13 A. If they weren't on the brake initially, and they 

14 step on the brake after this begins, then there is a 

15 failsafe in the monitor CPU that will inadvertently 

16 detect a symptom of the task X death. That failsafe is 

17 called the brake echo check. We'll talk more about it in 

18 a couple of slides. But the brake echo check will detect 

19 the driver pressing the pedal if they press the pedal and 

20 hold it at least about of a second, and then it 

21 will cause the throttle to close, and seconds later 

22 it will cause the engine to stall. 

23 So if you have speed on the highway, the engine will 

24 stall. 

25 Q. If a person has their foot on the brake when this 
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1 scenario in this example occurs, what would happen then? 

2 A. In that event, in order for that brake echo that is 

3 inadvertently detecting this task X death to do anything, 

4 the driver would have to remove their foot entirely from 

5 the brake pedal. So while the car is speeding away from 

6 them, and as they are letting up mechanical pressure and 

7 maybe pumping or maybe -- I don't know, it's 

8 counterintuitive to let off the brake when that happens, 

9 but the car is going to speed up first because you are 

10 mechanically letting go of the brake pressure that you 

11 have, and then, because each time you pump you have 

12 something called vacuum loss, which causes the air that 

13 is flowing through the engine, because the valve so open 

14 for the throttle, that air is getting sucked into the 

15 combustion process and not going into the power brakes. 

16 So you actually lose brake effectiveness while this is 

17 happening if you start it on the brake. And it will go 

18 on until, can go on forever. 

19 Q. If we have this example and starts with the driver 

20 has their foot on the brake and they never let off the 

21 brake, they are trying to get it to stop, how long would 

22 this last? 

23 A Mr. Arora, Toyota's expert, says it depends on how 

24 much fuel you have. 

25 Q. All right. Have we covered this slide? 
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A. Yes, I think so. 

Q. Let's go to the second layer of safety that we 
talked about the DTCs and other failsafe modes? 

A. So NASA in its report talked about the failsafes 
that Toyota described to it. And they were five 
failsafes on the main CPU that NASA discussed and these 
are called the limp home modes, the idle mode fuel cut 
and engine off. And just briefly, the limp home modes, 
some of you may experienced this in a car before, that if 
your car's engine is malfunctioning, it will allow you 
enough power to drive, to limp to the dealer or repair 
facility, but not enough power to go out on the highway. 
And that is a safety mode. 

And Toyota has three different ones. And it depends 
-- there's two gas pedal sensors, accelerator pedal 
sensors, if it mistrusts one of them, it might allow the 
throttle to be open 10 degrees or 1- percent, if 
mistrusts both of them, then it will only allow the 
throttle to be open a smaller angle. So there's three 
different angles. As I recall, they range from | degrees 
or degrees to or degrees 

There's also something called idle mode fuel cut, 
which is that when your car is idling the rpm will never 
go above 2599. Just like when you're driving on a road, 
no matter how much gas you give it, the rpm will never go 
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1 above 6400. When you're just sitting there at a stop 

2 sign it will never go above 2500. Now, 2500 rpm, 

3 especially depending on the gear you're in can be a lot 

4 of power in a car, but that is a limit that is built into 

5 the software that NASA describes as a failsafe mode. 

6 Q. Where are these failsafes located? 

7 A All of them either are located entirely within or 

8 depend upon task X. So when task X is not running none 

9 of these are relevant to the discussion of UA. 

10 Q. And part of your heading has got DTC, the diagnostic 

11 trouble code. What is significant about them in terms of 

12 task X? 

13 A. So the DTCs, as I've mentioned, is something that is 

14 stored in the computer that says something went wrong. 

15 And so when this happens, there is not going to be any 

16 DTCs stored, but I don't want to rule out all of them 

17 because there is another task that does a few. But 

18 generally speaking most of the DTCs are going to be 

19 disabled during this scenario. 

20 So if you were to reboot the car and read the 

21 computer you may find no codes as though nothing was 

22 wrong, and now because you've rebooted it, all the £|| 

23 tasks are alive and the car is running normally again. 

24 Q. The diagnostic trouble codes that can be set when 

25 something is wrong with the car, if they are set and 
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1 stored, are they stored forever? 

2 A. No, they are not. 

3 Q. If the vehicle loses battery power, what would 

4 happen to the codes that had been set? 

5 A. The DTC codes are stored in an area of memory called 

6 battery backed ram. Most of the time when you reboot a 

7 computer, the ram, working memory, is emptied out or 

8 become nonsense. But battery backed ram, because it's 

9 getting a trickle of current all the time can maintain 

10 its contents. But it only maintain them while the 

11 battery is applied. So if you parked the car after the 

12 incident and the battery drained, then you would lose all 

13 the information. Or if during the accident there was a 

14 disruption of power supply, then you would lose those 

15 codes that might have been set. 

16 Q. So for example -- 

17 A. And that's true regardless of task X death or 

18 anything else. That's just how the system works. 

19 Q. That is how Toyota's system works? 

20 A. That's right. 

21 Q. So if Ms. Bookout's car before it was inspected by 

22 anybody lost battery power, would any DTCs if they were 

23 set, still be in the car? 

24 A. If the battery had been disconnected there would not 

25 be DTCs to recover because they would have disappeared 


THIS TRANSCRIPT IS NOT PROOFREAD 



68 


1 from memory. 

2 Q. All right. Let's go to the next slide. The third 

3 layer your title watchdog supervisor. Can you explain 

4 this one to us? 

5 A. This one is going to take some explanation. So if 

6 you ever had a computer crash like your iPhone or your 

7 Android or whatever, and you were there to reboot it. 

8 It's not working and you reboot it. But some computers 

9 are in situations where there is nobody there to poke the 

10 button. So for example, when NASA sends a mission to 

11 mars. Mars Pathfinder is a good example in 1997. The 

12 first color images come back from the surface of Mars. 

13 The sent it there, they include in the design something 

14 called a watchdog. So the idea is that the hardware will 

15 wake up or reset the system if there is a software crash. 

16 And this actually turned out to save the day in the Mars 

17 Pathfinder mission because when that ship arrived on the 

18 surface it was able to beam back photographs and other 

19 things, and the following weeks when NASA engineers were 

20 doing their science on a surface, they had actually a 

21 number of watchdog resets. If the watchdog had not been 

22 there to save the day, then they wouldn't have gotten the 

23 computer to phone home again so they could fix it. 

24 In your car, the watchdog is there to -- if 

25 something goes wrong with the software, it should be 
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there to reboot the system very quickly so that you can 
get back to a safe running car. And Toyota does have 
something, they have a watchdog timer chip and they have 
something they call the supervisor. I call it the 
watchdog supervisor in my report. And that the job of 
that software, that part of the software is to 
periodically check in with this watchdog timer hardware, 
WDT, and if the software doesn't check in, then the 
hardware resets automatically the processor. 

Q. Is that what it's supposed to do? 

A. That's what it's supposed to do. 

Q. In the example you just gave, if we have a task that 
dies, say task X, and it doesn't report in to the 
watchdog, what's supposed to happen? 

A. Well, ordinarily when you have one of these watchdog 
supervisors, the software to kick the dog, kick the 
timer, you're supposed to monitor all the software for 
its health. And that's been well-known for a long time. 
And certainly, when I was editor in chief of the 
magazine, that was wellO-known and we published articles 
about how to do good watchdog timer design. That would 
have been in the 2001 to 2003 time frame. 

When there are multiple task because you have an 
operating system, it's necessary to check that they are 
all working. You can't just say, well, I, the supervisor 
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in here, I"m happy, don't reset us. You have to check on 
all of them. That is how it should work. Unfortunately, 
that's not how toyota's design works. 

Q. What is the problem with theirs? 

A. The Toyota's design actually they have an abysmal 
design, not just unreasonable in my view, but I use the 
word abysmal. This was actually the first chapter of my 
report I wrote because I couldn't believe what I was 
seeing. 

Toyota has a watchdog supervisor design that is 
incapable of ever detecting the death of a major task. 
That's its whole job. It doesn't do it. It's not 
designed to do it. 

It also, the thing it does in Toyota's design is 
lookout for CPU overload, and it doesn't even do that 
right. CPU overload is when there's too much work in a 
burst, a period of time to do all the tasks. If that 
happens for too long, the car can become dangerous 
because tasks not getting to use the CPU is like 
temporarily tasks dying. 

And in Toyota's watchdog you can have any overload 
going up to one and a half seconds, which at 60 miles an 
hour I calculated is about the length of a foot ball 
field, you have any vehicle malfunction for up to a foot 
ball field in length that's explained only because this 
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watchdog design it bad, and because the processor is 
overloaded momentarily. And that should have been also a 
job of that watchdog supervisor. And that is one they 
tried to implement and they don't do it well. 

They also made a classic blunder, one that's taught 
by professor like at Dr. Koopman to first year students 
in his imbedded systems class, which is, you don't 
dedicate a hardware timer on the main CPU to periodically 
kick the hardware on the watchdog, because that will keep 
functioning even though vast portions of the software and 
the tasks are not rubbing because these interrupts are a 
higher priority than the tasks. 

And so, that is a design that you -- and I have 
spoken about that at many conferences, not doing it that 
way. And they do that. 

They also, in order to not detect a death of tasks, 
the operating system is sometimes telling them, hey, the 
task isn't working right. And they have lines of code in 
there to throw that information away. They are ignoring 
error codes from the operating system telling them 
there's a problem with this task. And that, by ignoring 
those errors codes, is a violation of another MISRA rule. 
No. 86 in the 1998 version. 

Q. So if a task death occurs and that information is 
ignored, it would violate this MISRA rule? 
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1 A. That's correct. 

2 Q. And could that have an impact on causing a UA? 

3 A. Yes. 

4 Q. Are there ways to do it differently? 

5 A. There are. Reasonable alternatives to this were 

6 well known long before this car was designed. In fact, 

7 in the 2005 model year Prius, they have — in a Prius you 

8 have two engines. You have a combustion engine and you 

9 have a battery engine. The Prius combustion engine looks 

10 a lot like the Camry combustion engine code, but they had 

11 a fresh new design for the hybrid battery computer. And 

12 guess what? It has a good watchdog. It's a better 

13 design in there. It monitors the health of every task, 

14 and it monitors both for executing it too frequently, and 

15 for not executing frequently enough. 

16 The primary purpose of this part of the software 

17 should have been to detect task death. Toyota didn't do 

18 that. In my view, based on all the evidence I've seen, 

19 because the CPU was overloaded at times, and the watchdog 

20 was weakened to allow that. 

21 Q. So based on your information from the Prius, did 

22 Toyota know how to do it right? 

23 A. Absolutely. 

24 Q. Let's go to the next slide. Layer four, this is our 

25 last layer of safety that you're going to talk about from 
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1 Toyota's perspective. 

2 A. Let me just back up. You asked me did Toyota know 

3 about it. And i don't know for a fact whether the 

4 engineers would have at Denso or Toyota. 

5 Q. Fair enough. Thank you. Is this our last layer of 

6 safety that was in your original slide? 

7 A. Yes, this is the fourth layer. 

8 Q. The ESPB-2 monitor CPU. I think they've heard a lot 

9 about this, but that's the smaller chip that you showed 

10 them in the picture of the overall board, correct? 

11 A. That's correct. 

12 Q. Tell us about this. 

13 A. So there are some failsafes in the monitor CPU for 

14 various purposes, and I examined those. And on this 

15 slide I'm summarizing the relevant ones with respect to 

16 what happens when there's task death and UA. 

17 One set of them is what's called system guards. And 

18 there is these three different system guards, one on the 

19 main processor, one on the monitor processor, and one 

20 that straddles the two of them. 

21 And in theory they are specifically designed to look 

22 out for UA. But in practice, when task X is dead, they 

23 are either dead or they don't have any knowledge of the 

24 driver's intent. And so they are not operating at that 

25 time. 
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1 Q. And the brake echo check, you mentioned this a 

2 couple of time earlier, correct? 

3 A. Yes, so the brake echo check has turned out to be an 

4 interesting aspect of the monitor CPU, because it does 

5 sometimes detect the death of task X after there has been 

6 a UA in our testing. So in the testing where unintended 

7 acceleration by task death was observed, sometimes when 

8 the brake switch was transitioned, either the driver 

9 first pressed on the brake or the driver released the 

10 brake because they had been on it, this brake echo check 

11 detects that symptom of task X death, however this is not 

12 an appropriately designed failsafe because, first of all, 

13 it waits for the driver to have act first. 

14 So, and also if the driver's action when the car is 

15 misbehaving, is to say it's going slower than I want, let 

16 me step on the gas pedal, this does nothing. So the 

17 driver has to act first and the driver has to change the 

18 state of the brake pedal, which in some cases could mean 

19 doing something very counterintuitive, which is taking 

20 the foot off the brake during an emergency event. 

21 Clearly, that is not by design of Toyota's 

22 engineers, despite what we heard from Toyota's expert Mr. 

23 Arora. 

24 In addition, it takes the wrong action. When this 

25 brake echo check that inadvertently detects task death 
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1 does act after the driver, after the UA, it doesn't reset 

2 the ECM to restore the system to normal function. It 

3 stalls the car wherever you are. It first cuts the 

4 throttle, which slows the car, and then 

5 later it stalls the car completely, which could also 

6 contribute to harm. 

7 Q. You understand there's been no evidence in this that 

8 Ms. Bookout's vehicle stalled prior to the crash? 

9 A. I do. 

10 Q. And we've got one more line? 

11 A. Just simply from my analysis of the source code, 

12 there are several reasons. I put them in my report my 

13 this brake echo check is also nonreliable. 

14 Q. And why is that? 

15 A. There is some reasons why it's not — it's not 

16 designed to be 100 percent reliable. There are several 

17 reasons, I'd have to look at my report to refresh my 

18 memory. 

19 Q. Do we have another line up here? 

20 A. And finally, nothing in the monitor CPU detects all 

21 main CPU malfunctions. There is not, for example, a 

22 watchdog supervisor like function that looks out for task 

23 death, or looks out for UA. These are the relevant ones. 

24 Q. How do you know that? 

25 A. Because I've viewed the source code, because in the 
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testing of nothing else is active. 

Q. Okay. This particular part, this monitor CPU, have 
you seen any evidence that Toyota actually did a design 
check or design review on the software or source code in 
the monitor CPU? 

A. I have not. 

Q. Do you have a slide on that? 

A. So Toyota didn't look at this monitor CPU. The end 
final failsafe, the second CPU, they didn't look at it. 

As -- this was, I think from Mr. Ishii's deposition on 
Friday, when it comes to the source code for the monitor 
CPU, we, Toyota don't receive them, there would not be a 
design review done on that software. And the attorney 
asked, that's the one with the monitoring software for 
the electronic throttle control system, correct? And Mr. 
Ishii said yes. 

Q. And you were here to hear that testimony when it was 
played? 

A. I was. And I've read it before. 

Q. Was the next slide please? 

A I just want to repeat that, because I think that is 
an important point. 

Q. Why do you think it's important? 

A. Well, Toyota has made public statements that 
couldn't possibly be a software cause for UA. I've 
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reviewed documents where toyota's own investigative teams 
to end UA complaints don't include anyone for software on 
the team. They look floor mats, they look at pedals, 
they look at confused drivers, but they've never really 
sought the source code to actually look and see like, 
hey, this second chip, does it really do what we think it 
does. 

Q. And is it this chip, the monitor chip, you've seen 
the source code? 

A. I have. And NASA actually has not. NASA was not 
provided with it. I think we heard Mr. Ishii say maybe 
they didn't ask for it. 

Q. And the source code for this chip that was produced 
late? 

A. Yes, this is the source code that was produced about 
three weeks before my report was due in Van Alfen. And 
this, by the way, a exactly the same chip and software 
from 2005 to 2009 in the Camry, and some other models as 
well, but that is irrelevant to this discussion. 

Q. Is it the same in the -- 

A. I don't recall as I sot here. 

Q. Why do you say the monitor CPU is the last a line? 

A. Because there's nothing else beyond the monitor CPU. 
So if the main CPU is malfunctioning and its own 
failsafes are either disabled or not doing anything, the 
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1 monitor CPU knows that the driver is pressing on the 

2 brake, the monitor CPU knows the percentage open of the 

3 throttle, the monitor CPU knows how long those things 

4 those have been happening at the same time. So, for 

5 example, if the driver has been braking for half a second 

6 and the throttle is still at 50 percent, surely that 

7 suggests there is some sort of problem going on in the 

8 vehicle. Potentially, the main CPU is malfunctioned. 

9 And this chip had in it everything it needed when it 

10 was designed about 2002 to have paid attention to those 

11 two things. It had all the electrical signals coming in, 

12 all electrical signals going out, it had adequate memory, 

13 it had adequate CPU time to do this. Small check. And 

14 it could have -- if it was a software malfunction, a 

15 reset of the ECM would cure it. Now, if it was something 

16 like an entrapped pedal, resetting again is obviously not 

17 going to fix that, and so maybe a second action should be 

18 something different. 

19 But as a first step, as a first action, they could 

20 have included software like this. And this is extremely 

21 important. Toyota designed a vehicle that has a braking 

22 system where the power brakes are connected mechanically 

23 through air flow to the throttle. When the throttle's 

24 wide open, the air is largely flowing into the combustion 

25 process, because's is a vacuum there sucking it in. And 
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it's — and the brake can become depleted so you don't 
have assistance from the brake. You're losing pressure 
when you pump. 

And Toyota must have understood that. There is a 
mechanical linkage between the throttle and the brake. 
And maybe in a mechanical throttle system it was always 
the case that the driver let off and closed the throttle, 
so that wasn't a problem. But when they put software in 
charge, they should have taken notice of this and cared 
tremendously of the fact that the software was 
responsible for all three elements of combustion. And 
they could have acted back in that time in 2002 
approximately when they were designing ESP-B2 chip, they 
could have acted to stop any UA, no matter how many bugs 
were in the CPU. 

Q. If they already had that chip would it have cost 
them anything to make that software change? 

A. I mean, it would have cost some engineering time to 
do this and testing time. But in terms of a per unit 
cost per car, it's the same chip, same amount of memory, 
same processor, a couple hundred line of assembly code. 

Q. All right. We've gone through several things. 

Let's talk briefly about the software process of Toyota. 
Have you evaluated that? 

A. I have, yes, sir. 
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1 Q. What did you determine based on that? 

2 A. There is a number of defects, and some apparent 

3 explanations for those defects. So one defect is that 

4 there are single points of failure and the -- what they 

5 call the failure modes and effects analysis that Dr. 

6 Koopman talked about and I think he showed on one of his 

7 slides some examples of Toyota's documents, where they 

8 think of things that might go wrong and then they decide 

9 if and how they are going to mitigate them. 

10 They missed stuff when they did that. And that it's 

11 my opinion that's because they didn't a formal safety 

12 process like the MIRSA, the big book. They don't follow 

13 a recipe for making a safe system. 

14 They also have the defect that they didn't do peer 

15 reviews on the operating system code or the monitor CPU 

16 codes. And here, ultimately, it comes down to resources. 

17 Toyota did not put people and time behind checking up on 

18 the suppliers who were supplying this critical software. 

19 The operating system at the heart of this main CPU and 

20 this and second CPU that's doing the monitoring. 

21 Q. What about the watchdog? 

22 A. Well, the watchdog, I haven't seen any evidence that 

23 they peer reviewed it. But that design has stayed almost 

24 identical through the model years that I've seen on the 

25 main combustion engine. 
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Q. Did the watchdog supervise the task death? 

A. Not reliably, not most tasks. 

Q. What else? 

A. The -- another defect in their process is that they 
didn't follow their own coding standard. Now, in my 
coding standard chapter, I assess my opinion of their 
coding standard. I've studied coding standards, I've 
written a coding standard book, I'm familiar MISRA, and I 
assessed that many of the rules that they have are 
simply, like this how should name your variables, they 
did not have very many rules that would have kept bugs 
out. And in fact, some of their rules actually would 
have increased, related to race conditions, would have 
increased the likelihood of bugs in their code, 
particularly over time. 

And they didn't even follow this lousy coding 
standard that they had. They didn't put people, again, 
to make sure that their suppliers -- and not all this 
code was written at Denso. The code on the main CPU was 
partly coded from Toyota, partly coded from Denso. And 
when they is a different supplier like Delphi that GM 
supplier, they give the Toyota part of the code to Delphi 
and then Del Phi adds the Del Phi part of the code, so 
it's a mix of Toyota code and supplier code. And they 
didn't enforce the coding rules, apparently on either 
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one. 

Q. What's next ? 

A. Nedt is that the watchdog supervisor doesn't detect 
most task deaths. As I explained, it's my view that the 
reason for this is that the CPU was overloaded from time 
to time. In other words, it cost them less to water down 
the watchdog than to upgrade the CPU to a fast enough 
CPU. 

Dr. Koopman talked about something, called rate 
monotonic analysis. It's in my report too. That's 
something that Toyota's engineers should have done to 
make sure that all of those tasks would always complete 
on time and there would never be CPU overload. But they 
didn't. And there are specific places in the code where 
they say, oh, that test didn't finish yet? Okay. We'll 
wait for it next time, maybe it will run next time, 
because the CPU is overloaded. 

And there are also indications that different model 
years of different cars they are moving around 
functionality, like the automatic transmission, is in 
another processor on the same board, or on another board. 
And because early on they are trying to do all this stuff 
with older processor technology, and then in the 2005 
Camry design they combined them together into one. 

And they keep switching these things around, which 
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1 is an indication to me that they can't do it all in that 

2 one processor. And that, the poor watchdog design, a 

3 number of other things that I've documents in my report. 

4 Q. And then lastly talk EDAC. 

5 A. Right. So those extra hardware protections bits, 

6 the EDAC that NASA calls it, the parody that Dr. Koopman 

7 talked about, those cost money. And it's actually 

8 somewhat straightforward to calculated, because if you 

9 have eight bits you want to protect, to do it right you 

10 need five more bits. And so you're taking something that 

11 was eight and making it 13. And a lot of the cost in 

12 that is related to the size of the chip, and that's tied 

13 directly to the number of bits. So you're increasing the 

14 area of the chip making a bigger processor in order to do 

15 that. And Toyota chose not to do that in the 2005 Camry. 

16 They had by the 2008 Camry added not the five bit version 

17 but a cheaper version, I believe it was a three bit 

18 version. 

19 Q. In terms of EDAC, is Toyota tell NASA that the; 05 

20 had it? 

21 A. Not only did NASA write in its report that they had 

22 it, but I've seen the email where NASA asked if they had 

23 it and Toyota responded that they did. 

24 MR. BIBB: Objection, Your Honor, hearsay. 

25 THE COURT: Overruled. 
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1 THE WITNESS: That's in my report, by the way. 

2 What was I talking about? 

3 Q. (BY. MR. BAKER) You've seen an email where Toyota 

4 actually told NASA they had EDAC on the '05? 

5 A. Right. So it's clear that NASA didn't just make 

6 this up out of thin air, Toyota told it to them in an 

7 email. 

8 Q. Let me ask you this about EDAC. Does EDAC help 

9 prevent memory corruption? 

10 A. Yes, it does. And NASA was concerned about if there 

11 what bit flip due do EMI or some other hardware effect, 

12 could that cause a UA. And NASA relies on the fact that 

13 there's no EDAC when reaching its decision that that 

14 can't happen. 

15 Q. Because they believe -- 

16 A. Because they believe EDAC is in it. And 

17 furthermore, Toyota redacted or suggested redactions that 

18 were made in the NASA report almost everywhere the word 

19 EDAC appears it's redacted. So someone at Toyota knew 

20 that NASA thought that enough to redact from the public 

21 that false information. 

22 MR. BIBB: Objection, Your Honor, now he's 

23 interpreting, I move to strike that last piece of 

24 testimony. 

25 THE COURT: I'm not going to strike it but move 
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1 

on. 

2 

Q. (BY. MR. BAKER) Let's go to the next line? 

3 

A. Just the point really is, if they were confident 

4 

that they didn't need EDAC, why left NASA believe it if 

5 

they had some other explanation. 

6 

MR. BIBB: Objection. 

7 

THE COURT: Sustained. I'll strike that last 

8 

answer. 

9 

THE WITNESS: I'm sorry. I misunderstood. 

10 

THE COURT: Is this the last slide on software? 

11 

MR. BAKER: We can break if you need. 

12 

THE COURT: Why don't we do that. It is now 

13 

3:00, we're going to take a 15 minute afternoon break. I 

14 

remind you during the break, do not discuss the case, do 

15 

not form any opinions and get lots of caffeine. 

16 

(THE FOLLOWING PROCEEDINGS WERE HAD AT THE BENCH 

17 

OUTSIDE OF THE HEARING OF THE JURY.) 

18 

THE COURT: Were back on the record outside of 

19 

the presence of the jury. 

20 

Go ahead, Mr. Bibb. 

21 

MR. BIBB: As I understand, the plaintiff 

22 

intends now to offer most of the other incidents that are 

23 

identified in Mr. Barr's report, am I correct Mr. Baker? 

24 

MR. BAKER: Yes, sir. 

25 

MR. BIBB: Our objections to that would be to 
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the extent there are incidents that occurred after the 
date of the incident in this case, which is September -- 
back September 2007 or after the date of this vehicle was 
sold after August of 2005, that those can only be offered 
for purposes of trying to show defect in this vehicle. 

And plaintiff has a high burden of showing substantial 
similarity with those and it is the plaintiff's burden, 
so I think we're going to have to do more than just ask 
Mr. Barr to describe them to jury. We're going to have 
to have some sort of hearing on each one of them as to 
whether they are, in fact, substantially similar. And I 
understand the Court is interested in the type of 
software, but again you've got to look at the type of 
incident. There are short duration incidents, long 
duration incidents and I think that you're going to have 
make more of a showing than plaintiff intends to talk 
about. 

MR. CLARK: A particular problem is the problem 
that we got into on Friday with regard to those vehicles 
that have six cylinder engines, because I think the 
Court's already seen the PowerPoint is full of 
limitations, you know, limitations to the L4. There has 
been some sort of discussion of some differences between 
the four cylinder and six cylinder. For instance, EDAC 
is present in the later six cylinder engines, something 
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1 we just ended with. And it's certainly our position that 

2 Mr. Barr saying that the four cylinder and six cylinder 

3 are substantially similar to my purposes, which I think 

4 is the gist of his testimony, is not a sufficient 

5 foundation. The evidence is undisputed that there are 

6 significant hardware and software differences between the 

7 two engines. In fact, the older six cylinder Camrys have 

8 an extra CPU in them. 

9 THE COURT: Mr. Baker. 

10 MR. BAKER: Your Honor gave us guidelines that 

11 you anticipated you would follow in looking at these 

12 defects, and also refute the position taken by the 

13 defendants as to reasons they can be both. The Court at 

14 that time said whether it's pulling into a parking lot or 

15 merging onto traffic is not necessarily a big factor that 

16 you were going to consider, that you were more concerned 

17 about is that software defect issue that was looked at by 

18 Mr. Barr substantially similar. I've already set a lot 

19 of the predicate already. I specifically had him 

20 describe 2002 to 2010 Camry's, the L4 and E6s where he 

21 said the software was substantially similar, that they 

22 also had the same operating system, which I'll reiterate. 

23 The ones in his report are all Camrys and so I would only 

24 ask him about one's he specifically reviewed and relied 

25 on in part of his analysis in this case. 
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88 

MR. CLARK: Your Honor, on this slide we've got 
some bullet points -- 

THE COURT: Which page? 

MR. CLARK: 55. I'm sorry. Mr. Bibb was 
talking about having to have a mini hearing on these and 
that's exactly right. There's at least one of these 
vehicles in his report that does in fact have an all 
weather floor mat present in the vehicle and it's in his 
report anyway. Obviously we are going to have examine 
him about that. And you know, this is sort of getting 
into the 403 issues and a waste of jury time and the 
cumulativeness and the confusion of the issues that I 
think we've already briefed and already argued, we would 
reiterate here, because whether or not a particular 
incident that postdates Mrs. Bookout's crash was caused 
by a floor mat is wholly irrelevant to what this jury has 
to decide. 

THE COURT: Which one of these did you say -- 
did you find specifically there was a floor mat issue? 

MR. CLARK: Ms. Preese-Morrison testified that 
she had a plastic floor mat that she bought at Walmart 
that was on top of her -- 

THE COURT: I just read her deposition during 
the lunch hour and she was very clear -- at least her 
testimony, she was very clear that she had the officer 
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look at it, so. 

MR. CLARK: That's right, but that is not what 
Mr. Barr's sides says. Mr. Barr's slide says no all 
weather floor mat. 

THE COURT: And you certainly attack him or 
critique him on that on cross examination. Is there 
another that you think -- because I see a lot of these he 
says no floor mat. 

MR. CLARK: We can go through one by one. 

THE COURT: I don't care to do that. Was that 
the one you were specifically referencing? 

MR. CLARK: That was the one I was thinking of. 
I think Gomez was in his Van Alfen report and he took 
that out. That's another one. 

THE COURT: Let me tell you. I had made notes 
on what he was saying about these and he said for the 
2002-10 Camry models that the operating systems are 
substantially similar as were the software systems 
substantially similar. And that he talked about a whole 
chapter one that discusses the similarity of it. I had 
another notation on his slide 43 where he specifically 
says that this particular software is the same in 
everything from 2005 to 8. And there are only two of 
these or three of these perhaps that I tabbed that were 
actually nine, but I think were included in the first -- 
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in his statement having to do with this chart on page 
five. But Mr. Baker, has address, and again, I don't 
know other than hearing it in argument that I've heard 
anybody say that the V4 or V6 that the engine size 
changes anything. 

MR. BAKER: I asked him specifically that 
question and he said the software was substantially the 
same. 

THE COURT: Regardless of the engine size? 

MR. BAKER: In terms of this defect. 

THE COURT: Right. And then I did notice in 
terms of going through, and again, I haven't read each 
one of these, but I did notice that there is additional 
stuff in here about people die and say they are going to 
die or they're severely injured, or going off a sheer 
cliff. 

MR. BAKER: I'm not going to -- I'm just going 
to ask factually about what happened in the UA event, not 
who died or who got hurt. I will instruct the witness 
not talk about that. 

MR. BIBB: As I understand. Your Honor, the 
facts and circumstances of these accidents vastly 
different between the circumstances in this case, you can 
still admit them. The first one. Hill, was attempting to 
enter a parking space where the vehicle suddenly 
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1 accelerated. A very low speed, very short duration, very 

2 confined area. The factual differences between many of 

3 these incidents and the crash in this case which was a 

4 high-speed exiting of a freeway. 

5 THE COURT: But I don't think there has been 

6 any evidence, correct me if I'm wrong, that has said that 

7 if -- because Toyota's position has always position has 

8 been, this just didn't happen. But from the plaintiff 

9 has there been any evidence that task death would perhaps 

10 only occur when it's a long term as opposed to a short 

11 term? I mean, it happens and then it lasts whatever 

12 length of time it might last until there is an accident 

13 or it stops? 

14 MR. BAKER: That's right. And he specifically 

15 used these events as part of his root cause analysis to 

16 come to the conclusion. 

17 MR. CLARK: Something that is important. Your 

18 Honor, is that Mr. Barr's testified, that if the incident 

19 starts with a foot off the pedal, or a foot on the 

20 accelerator pedal, and then the driver brakes, then the 

21 brake echo function is going to close the throttle and 

22 eventually stall the vehicle after That was 

23 his testimony. That was the only testimony that we've 

24 heard. So if you take one like -- let's see. Hazel is a 

25 good example, 77 and 85, apparently didn't begin with a 
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1 foot on the brake and once the event began she applies 

2 the brakes. That takes us out of the similarity of these 

3 incidents that allegedly begin with the foot on the brake 

4 where he's testified that it's absurd to expect somebody 

5 to remove their from the brake. 

6 THE COURT: Mr. Baker, are there certain ones 

7 of these that it's undisputed that the foot was on the 

8 brake all along so that this brake echo should have 

9 kicked in? 

10 MR. BAKER: I don't know that the answer to 

11 that. Your Honor. I viewed these as part of this 

12 analysis. I think whether the foot was on the brake when 

13 this started, then goes to the weight of it, not to its 

14 admissibility. And part of this is to refute Toyota's 

15 position that this doesn't ever happen. 

16 MR. CLARK: Doesn't go to weight versus 

17 admissibility. Your Honor, it goes to whether it's 

18 similar or not. Nassar is another good example of that. 

19 This fellow was entering the highway. I've entered a lot 

20 of highways, I'm sure the Court has too, and I always 

21 enter highways with my foot on the gas pedal, so that one 

22 pretty clearly there's is transition that takes it out of 

23 similarity. 81 and 85, I'm sorry, the top of that page. 

24 THE COURT: Where is it in 81 that you said he 

25 had his foot on the brake? 
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1 MR. CLARK: He said the incident started on the 

2 second or third lines, while driving in New Jersey. He 

3 reported that while he was entering the highway the 

4 vehicle wanted to continue to accelerate. I'll admit 

5 from that we don't know for sure what pedal his foot was 

6 on, but it seems to me you're entering the highway pretty 

7 likely the foot is on the accelerator pedal. He goes 

8 then from the accelerator to the brake. And Mr. Barr has 

9 said brake echo should work in that situation, it should 

10 close the throttle. I think that is undisputed. 

11 THE COURT: Let me ask, isn't this all being 

12 offered just for the purposes of refuting Toyota's claim 

13 that these situations don't exist. And you're not 

14 claiming that the brake echo wouldn't — was there a 

15 brake echo in this car? 

16 MR. CLARK: Yes. 

17 THE COURT: So you're not saying the brake echo 

18 system, you're just offering these for the purpose of 

19 showing that unintended accelerations, some of them brake 

20 echo may have kicked in because the way of foot was 

21 applied. 

22 I'm going to allow these with the caveat being none 

23 of the details about describing the accident or people 

24 who were injured, statements in it. 

25 MR. CLARK: Are we to understand then that the 
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universe of other incidents in this case is limited to 
the ones that Mr. Barr has described? 

THE COURT: No. And we will discuss that in 
more detail. One of the depositions that you all gave me 
had somebody reading through a bunch of reports and we'll 
be discussing those outside the presence of the jury as 
to which if any of those are going to come in. But right 
now I would say you're probably well taken because if he 
hasn't laid a foundation and it wasn't a preaccident, I 
don't know how else they are going to get their 
foundation laid. Okay. 

(THE FOLLOWING PROCEEDINGS WERE HAD WITHIN THE 

HEARING OF THE JURY AS FOLLOWS:) 

THE COURT: We're on the record. The members 
of the jury are present as well as counsel and their 
clients. Mr. Barr is still on the stand and still under 
oath and you may continue -- how about this, you may 
conclude your direct examination. 

Q. (BY. MR. BAKER) Looking at this slide how Toyota's 
inadequate software process, I think we heard a little 
bit of this from Dr. Koopman. Can you briefly tell us 
why you put it in your slide presentation? 

A. Yes. What I conclude from reviewing the documents 
and examining Toyota's source code and other things, is 
that while Toyota has a reputation for being a quality 
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producer of mechanical automobiles, that internally their 
software process was inadequate, and you know, they 
lacked internal expertise in a number of areas. This is 
their own internal document where this is a software 
development process that they've laid out. And each of 
boxes that's in pink with an X, Toyota is saying we don't 
have knowledge inside Toyota, we're entirely relying on 
our suppliers for these areas. 

And then in the same document there is a process in 
place for hardware and not software. In my consulting 
practice, in imbedded systems of various kinds, I've seen 
over the years that there is not really very many 
companies that just specialize in Imbedded software. But 
most companies that make an imbedded product they make 
the product first and then they end up with software 
inside. 

So they make cars first and then they end up with 
software inside them. They make microwave ovens first 
and end up with software inside them, et cetera. 

And so what I see Toyota came late to the software 
process, maybe, I don't know about current cars, but 
maybe they've improved things. This was part of a 
document where they were trying to improve things 
starting about 2007, with the 2012 model year. 

But at this time when these vehicles were being 
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1 made, including the 2005 Camry, they did not have an 

2 adequate oversight or training of their suppliers or 

3 engineers, they didn't have an enough staff in this area, 

4 et cetera. 

5 Q. Have you reached a conclusion whether you what 

6 determine to be an inadequate software process le to the 

7 defective software you're going to describe? 

8 A. Yes. 

9 Q. What's your opinion? 

10 A. It's my opinion that that lack of process led to the 

11 defects and the detects led to the UA that's described. 

12 Q. Let's go to the next slide. This again relates to 

13 the process and the culture within Toyota? 

14 A. That's correct. 

15 Q. And what is this document? 

16 A. This is a document that's an internal Toyota 

17 document. You can see Mr.Kawana was one of the 

18 recipients. But it's dated around the same time as those 

19 business review documents about their software process 

20 and their spaghetti code. It's in September of 2007. And 

21 I pull out this quote here from this email where the 

22 author is saying "In truth technology such as failsafe is 

23 not part of the Toyota's engineering division's DNA." 

24 And it continues, "But isn't it good that it is 

25 recognized as one of the major strengths of Toyota and 
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1 its system controls industry." 

2 And then I highlighted also the portion that says, 

3 "Continuing on as is would not be a good thing." 

4 Q. What does this tell you about your review of the 

5 documents? 

6 A. My interpretation is that inside Toyota there was a 

7 growing recognition that they were not designing safe 

8 cars. 

9 Q. In terms of the software? 

10 A. In terms of the software, that's right. 

11 Q. The next one, we've talked a little bit about NASA, 

12 you included in your chart, is that the NASA report? 

13 A. Yes. On page 78 of the NASA report, NASA report had 

14 some chapters also, they called them appendices, but in 

15 the main report at page 78 they had a table where they 

16 laid out some possible ways that UA could happen in 

17 Toyota vehicles and there were two they couldn't rule 

18 out. I talked about them earlier. One was if both 

19 accelerator pedal sensors failed at the same time or 

20 failed together, then the software had no way of knowing 

21 that. 

22 The other was exactly what I've described here, a 

23 systematic malfunction of the main CPU software that is 

24 not defected or not detected in time by the monitor CPU. 

25 And so the quotes on the bullets match up with the 
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1 highlighted portions of NASA's assessment of what that 

2 would be like. They are saying that the fault would 

3 escape detection, so a single memory corruption would 

4 result in UA. Default would escape detection because 

5 there wouldn't be an EDAC error. And it turns out there 

6 is no EDAC to cause an error. 

7 The idle fuel cut would not be active. The reason 

8 for that is because it's one of the five failsafes that 

9 are in the task X. 

10 The watchdog would continue to be serviced. 

11 Q. What does that mean? 

12 A. Serviced means -- a lot of words are used for these 

13 watchdogs. You can kick the watchdog, pet the watchdog, 

14 stroke the watchdog. NASA used the word service. 

15 Service the watchdog, means checking in from time to time 

16 to say everything is okay. So NASA is saying during this 

17 defect the watchdog timer would still have to be getting 

18 kicked or checked in with. And indeed, Toyota's 

19 defective watchdog software will continue to check in and 

20 doesn't detect the task death. 

21 Q. And the monitor CPU? 

22 A. And the monitor CPU doesn't detect the failure and 

23 here because it's not designed to. Even the brake echo 

24 check that sometimes has detected and caused a sharp 

25 throttle and engine stall after the driver has acted 
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1 after the UA has occurred, it wasn't designed to do that. 

2 It's inadvertently doing that. And the way you can tell 

3 it's inadvertent is because no designer would design a 

4 safety system where the driver of a car that is 

5 accelerating away from them had to release the brake. 

6 Even in some cases. And I haven't a Toyota Camry users 

7 manual that says, if your car is accelerating and you 

8 don't want it to, try braking. If that doesn't work, try 

9 not braking. 

10 Q. Are we done with this one? 

11 A I think so. 

12 Q. I think this is a point raised by Dr. Koopman about 

13 single point failure, is that significant to you? 

14 A. Well, it's significant because it's a very point in 

15 safety critical system design. We don't want any single 

16 points of failure. And Dr. Koopman used a nice example 

17 of an airplane with one engine, or an airplane with two 

18 engines that had a common failure mode such as one fuel 

19 pump. And so this car shouldn't have single points of 

20 failure in it. And that is a normal mode of design for 

21 automotive safety systems. 

22 Toyota tried to mitigate the risks of things like 

23 this happening, including in software, but they missed 

24 some of the single points of failure. And that is what 

25 happens when you focus on the trees and not on the forest 
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1 of having an actual safety process adopting a big MISRA 

2 like safety software building process and hardware design 

3 process. 

4 And so some of the faults, some of the single points 

5 of failure are getting through gaps in the failsafes. 

6 Like Dr. Koopman said, there may be misbehaviors of 

7 Toyota vehicles that are getting caught by failsafes. 

8 What's really at issue here is that sometimes not only 

9 are there misbehaviors but they are slipping through the 

10 failsafes, and those are the ones that get complained 

11 about and those are the ones that injure people. 

12 Q. Go to the next slide. 

13 A So as I stated, there are single points of failure 

14 in the ETCS. Some of these have been demonstrated but 

15 not all of the ones that we've identified have been 

16 demonstrated in the vehicles. 

17 And task death, although I focused a lot of task X 

18 here, because it does so much and it does throttle 

19 control and it does failsafe, it's pretty important, but 

20 there is tasks and they can die in different 

21 combinations. It could be task 3 and task X, or task 3 

22 and task 7 and task X, or just task 9. And those can 

23 cause an unpredictable range of vehicle misbehaviors. It 

24 turns out that unintended acceleration is just the most 

25 dangerous thing your car can do when it malfunctions. 
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1 The most thing dangerous thing your iPhone can do is 

2 crash or not let you call 911. The most dangerous thing 

3 your car can do is shoot down the road. So other lesser 

4 software malfunctions also likely occur, but those are 

5 the ones that get reported is these dangerous, the ones 

6 that cause harm. 

7 MR. BAKER: Can we approach. Your Honor? 

8 THE COURT: Yes. 

9 (A DISCUSSION WAS HAD OFF THE RECORD.) 

10 THE COURT: Ladies and gentlemen, this next 

11 document is going to have source code information on it 

12 again, so if you not been authorized to view the source 

13 code, please leave the courtroom. 

14 Q. (BY. MR. BAKER) Go to the next line. You just 

15 finished testifying about other tasks not being 

16 identified when they die? 

17 A. Correct. 

18 Q. Is this chart associated with your work that has 

19 shown that? 

20 A. That's correct. So the vast majority of the testing 

21 that has been conducted by either side's experts to date 

22 has involved killing just one task at a time. So each of 

23 the have been tried. And so I've put together this 

24 table with tasks. It's not their names and the source 

25 code that are here, but it's just a brief description of 
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1 the task to help me remember how to talk about them. 

2 And then what things have happened in the tests that 

3 have been conducted by Mr. Louden, and also by Toyota's 

4 expert Mr. Arora. And so this is a summary chart and it 

5 talks about those things. 

6 Q. And so of these in this chart where we see some 

7 reaction by the software and then not detected by the 

8 software, is that an instance where just a single task 

9 was killed? 

10 A. Right. So there has also been some testing where 

11 task X was killed and one other task was killed, not 

12 referring to that here. Just referring to task where one 

13 task was killed. It's as though one of the 

14 programmers on the Toyota team never showed up for work 

15 in your car at that point. So what happened in the car. 

16 We already heard a lot about task X death by itself, and 

17 that's if the driver changes the state of the brake 

18 pedal, then the throttle will get cut and 

19 later the car will stall. And I put in parenthesis that 

20 that's the echo check. That is the brake echo check 

21 that's detecting that. 

22 Q. And that we discussed application of the brake in 

23 the sequence of an UA, correct? 

24 A. Right. 

25 Q. If we've got a person who has their foot on the 


THIS TRANSCRIPT IS NOT PROOFREAD 



103 


1 brake, but they -- I'm going to describe it as a pumping 

2 action, but they come back and forth pressing on the 

3 brake up and down, will that reset this echo and make it 

4 work every time that occurs, or is there something 

5 special that has to happen? 

6 A. No, pumping can be without a full release of the 

7 pedal. You just move your ankle, you go up and down, but 

8 never really let off the pedal. If you don't let off 

9 pedal then it will go on forever. 

10 Q. Is there a special, what I'll call a brake switch 

11 for lack of a term, within the mechanical brake system 

12 that has to do some special function in order for it to 

13 reset for this echo to work? 

14 A. That's correct. First of all, the switch has to 

15 open, and then also it has to be held open at least 

16 of a second before this brake echo will do 

17 anything. 

18 Q. So we can have brake application and be within the 

19 constraints you just defined and not turn over the brake 

20 switch, and it won't cause this brake echo to come on? 

21 A. That's true. And that's a good point because my 

22 slide just says brake change, but it has to be a brake 

23 change of a sustained duration. It can't just be a pump 

24 that doesn't let fully off. I was trying to summarize 

25 things here mostly so I could explain them. 
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1 Q. In terms of the other ones here that you show us, 

2 should there have been something within the software that 

3 detected the death of one of the any of them, that 

4 were supposed to be running? 

5 A. Absolutely. There should have been something that 

6 detected the death of any one of them as quickly as 

7 possible and reset the ECM in order. 

8 Q. Once you have detected the death of any of them -- 

9 A. The one that makes sense to me is the watchdog 

10 supervisor. That is the easiest place to do it. That's 

11 the place where most people do it. The monitor CPU can't 

12 see which tasks are running necessarily, doesn't have 

13 visibility to all of them, but the watchdog supervisor 

14 should, and should have been designed that way. 

15 Q. So, we exclude task X, and we just look at the other 

16 tasks, I think I counted is that right? 

17 A. I think that's the same number that is in my report, 

18 yeah. 

19 Q. So of the tasks, excluding X, if of them were 

20 to die, system failed, is there anything that is going to 

21 detect it? 

22 A. There is nothing that detects it. So not even 

23 changing the brake switch detects it, so you have all 

24 these other tasks that are supposed to be doing 

25 something. For example, if spark on cylinder number one. 
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if that task never runs again, then you're not going to 
have a spark in the first cylinder. Now, that is not 
going to because a UA, but it is an issue. You are not 
burning the gas, it's exhausting out of your exhaust pipe 
every time that the cylinder goes up and down. 

Q. Have you reached a conclusion on whether this shows 
a defect in the software? 

A I have. 

Q. What's your opinion? 

A. My opinion is that the watchdog is defective and 
should have detected all of them quickly as possible. 

Q. And if a watchdog detects them, what are they 
supposed to do? 

A What the watchdog should do, and the one I believe 
that it will do is for this one millisecond task, if that 
task dies and doesn't run again, then the watchdog 
correctly resets the ECM in that case, it actually 
happens very quickly. It can happen within one 
millisecond plus the millisecond reset time. so in 

that 11 feet at 60 miles an hour, less feet. At half the 
speed it's five feet. 

Q. And to the extent you can, can you describe for us 
what a vehicle would do in the vent you have a reset if 
you're driving down the road? 

A. I'm familiar with testing that's been done with 
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respect to resetting ECM, in a couple of different ways, 
by killing, for example, that one millisecond task and 
also by just forcing a reset electrically. And the 
observation has been that if you were sitting at a stop 
sign, it's possible your car will stall when it resets 
because the engine is turning slowly. But if you're 
driving down the road you'll see the RPM drop briefly and 
then it will go back and continue. 

Q. All right. Let's move to the next slide. 

MR. BAKER: Your Honor, at this point I think 
we can let everybody back in. 

THE COURT: Okay. We will continue on. 

Q. (BY. MR. BAKER) When you say that the test is 
effectively infinite, what do you mean by that? 

A. Well, there are so many different combinations of 
ways and times when this can happen that it's impossible 
to test them all. It would take a vast amount of 
resources, resources that I don't have in the source code 
room, but resources that even Toyota doesn't have with 
their, you know, actual vehicles and test tracks and test 
engineers and, you know. It's not something you can test 
into submission. Because just looking at the number of 
tasks deaths, each one can die by itself. That is just 
m combinations. All could die at once. That is just 
one combination. 
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1 But when you add up all the ways that just two can 

2 die, or just three can die or just four can die, it turns 

3 out to be over 16 million possible combinations of task 

4 death. So how are we supposed to test task X, which 

5 we've already demonstrated UA, and all the other tasks 

6 that can die with, you know, one other task death, two 

7 other tasks dead, three other task dead. And then it 

8 actually gets harder than that because each task can die 

9 in different vehicle operating states. We've a seen one 

10 of those perfect examples, is if it dies when the brake 

11 was already pressed, any amount of press, lightly pressed 

12 or fully pressed, then it's completely different outcome 

13 than if the brake was not pressed. 

14 And the same is true for if the cruise is on, not 

15 on. It matters also what happens next. For example, on 

16 that prior slide there was one task that was not 

17 detected. That task is involved in shifting the 

18 transmission. None of the testing to date that I'm aware 

19 of from either side has caused a transmission shift after 

20 killing that task. 

21 Well, in an automatic transmission, you know, in a 

22 manual you move the gear. In an automatic transmission 

23 in Toyota's design software pushes electrons and 

24 electrons push something mechanic. And if the task that 

25 does that doesn't do that then your transmission is in an 
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indeterminate state, and what if you needed to downshift 
or upshift in order for proper vehicle behavior. 

So just killing that one task and saying no observed 
behavior, as Toyota's expert does, that's not enough 
information. We have to test all the things that the 
driver might do next, including if the vehicle then 
misbehaves, what will they do after that? Will they 
press the brake or not, pump or not, et cetera. 

And there's also in addition internal software 
states. I talked about a million lines of code, 11,000 
global variables. You would have to test each 
combination of task death in all of those different 
system states in order to -- basically there's too many 
tests to construct to be sure that nothing even worse 
could happen. That is, for example, an unintended 
acceleration, where no matter what you do with the brake 
pedal, let go of it or try it, the car won't stop. 

Q. Is that infinite number of test combinations a 
reason for having a reasonable and appropriate design 
structure in place? 

A. Yes. This is exactly the reason why you have to 
follow a process like Dr. Koopman says you have to when 
you're designing a safety critical system. Because those 
processes are designed so that even if you get something 
wrong on the main CPU, because you have two independent 
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fault containment regions, the failure of one can be 
detected by the other, and it depends on whether it's an 
airplane or a car, what's the best thing to do, but when 
that's detected as, I don't agree with you and we both 
have an independent view of what should be going on, then 
you do something safe. 

Obviously, in an airplane you don't just stop the 
engines and fall out of the sky. You have to do 
something else. But a car you do the safest thing you 
can with that scenario under what's known. What's working 
and not working. 

Q. In a software development process we talked about. 
Dr. Koopman talked about, is the process just as 
important as the testing? 

A. The testing -- I'm not going to say that vehicle 
testing like Toyota does is not important. It is 
important. But it tends to find the bugs that happen 
frequently. The ones that happen to everybody everyday. 
It doesn't happen to find the rare ones. So the process 
is equally important if not more important, because the 
process is what makes sure that even if you have bugs in 
there, which there will be, that those bugs and defects 
won't get through and cause a dangerous harm. 

Q. Anything else with this slide? 

A. Right. So in that infinite space based on reading 
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the source code we were able to pick out a particular 
bit. We were interested in task X and what would happen 
from reading the source code and we were able to simulate 
in the code room that if we killed it in a certain way -- 
actually there's a couple of ways it could happen -- that 
that task would die and not run anymore. 

And that's what we could predict would happen and we 
have test sampling from within that infinite space that 
confirms that Toyota, when they say we have layers of 
failsafe and you know, when they tell that to Congress 
and they tell that to NASA and they tell that to you, 
that's inadequate. That's not enough. They should have 
had the process in place. 

Q. All right. Before we go to the next line, I did 
want to ask you. I think you told us earlier about your 
conclusions in terms of this case, but can you tell what 
you understand the facts to be in terms of the Bookout 
accident ? 

A. Sure. I understand that Ms. Bookout was driving a 
2005 Camry, that she was driving south on highway, I 
believe it's called 69 near Eufaula, and that she was 
approaching an exist ramp and began to exit and slowed 
her vehicle, and that at some point on the exit ramp the 
car was not slowing when she was braking. And that she 
pumped the brakes in response, and told her passenger 
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1 what was going on. And that a little bit further down 

2 the ramp her passenger suggested pulling on the parking 

3 brake. And there are indications that the parking brake 

4 was indeed pulled and this resulted either from the 

5 parking brake or the service brakes or both in a skid 

6 mark of 150 leading to a crash site in a ditch passed a 

7 stop sign at the end of the exit ramp. 

8 Q. Is it accurate to say in terms of the specific 

9 details about the reconstruction, you're leaving that 

10 Mr. McCort? 

11 A. Yes. 

12 Q. Okay. Do you have an ultimate conclusion in this 

13 case as to why the vehicle would not slow down in the 

14 scenario you described for us? 

15 A. I do. 

16 Q. What is that conclusion? 

17 A. My conclusion is that a software defect has caused 

18 the unintended acceleration which could not be stopped 

19 through the pumping of the brakes and the braking. Not 

20 in time anyway to avoid the crash. 

21 Q. And in terms of the specific task and death or how 

22 this occurred in this case, have you got some sample 

23 testing to show us about how you demonstrate that? 

24 A. Yes, I have another vehicle test that was performed. 

25 Q. Let's go to that slide. Tell us about this. Is 
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this one of the tests or combinations that Mr. Louden 
did? 

A. Yes, sir. This is testing that was performed in a 
2005 Camry by Mr. Louden and documented in his report in 
the Saint John case. 

Generally we're looking at several different data 
plots of different signals that he was collecting during 
this. And I'm going to walk you through it step by step, 
but let me just generally orient you. That the red up 
here on the top is how fast the car is going. You can 
see that initially in the test starting from about 40 
seconds he accelerated until a speed, I don't know the 
exact speed, I haven't looked at the chart in a while, 
but you can see it's around less than 100 kilometers per 
hour, so it's probably 45 or 50 miles an hour here. And 
then at the time of the dotted line, he's killed the 
task, and then he's collected some various data along the 
way. And we'll talk about what each of these mean in 
just a minute. 

So you can see the dotted line of killing the task 
is at a time 59. So the first thing you notice is that 
the vehicle speed is about 45 miles an hour. I'm not 
being too precise there, might be closer to 50. And so, 
the next thing to notice is that you see this orange 
arrow right here, this is showing that just after the 
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1 task died Mr. Louden let off the gas pedal. He had been 

2 accelerating steadily, he lets off here but, the speed of 

3 the vehicle remains 45 miles an hour. It's not 

4 responsive, so we have a loss of throttle control at that 

5 point. 

6 To demonstrate that further, Mr. Louden shows that 

7 even if he tries now, let's say he wants to avoid an 

8 obstacle on the road or another car, he tries to use the 

9 accelerator, nothing happens. There is no change in the 

10 vehicle speed, no failsafe kicks in or anything like 

11 that. In fact, none of failsafes act in any way, if 

12 we're greater than 30 seconds in this test, ranging from 

13 just before 60 to -- right about here we have something a 

14 little bit before 100 that that happens, so maybe 35 

15 seconds or so. 

16 And if you look here, what's happened at the end 

17 that's caused this throttle cut and an engine stall 

18 later is that Mr. Louden has let off the brake 

19 pedal, right here. So, because he was on the brake pedal 

20 even lightly when this task death occurred, you see the 

21 brake signal is this solid line is on, and then it goes 

22 down it's off the green line, so at that time he's let 

23 off the brake. And it's then about 

24 after that that the throttle is cut by the brake echo in 

25 the monitor CPO. And then after that we 
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1 get an engine stall. And then because we're on the 

2 dynamometer we don't see the vehicle drop off before his 

3 test data collection ends. 

4 Q. So he has his foot on the brake at the beginning of 

5 this particular test? 

6 A. That's correct. 

7 Q. And is this a test that explains to you that the 

8 foot on the brake, the UA can continue on? 

9 A. Yes, I mean, my opinion is based on more than just 

10 this test, but this test is supportive of my opinion, 

11 that's correct. 

12 Q. And let's move on -- before we go on to the next 

13 slide. Let me ask you a couple of questions. 

14 This explains to us what can happen when you have a 

15 task death occurs, correct? 

16 A. That's correct. That's one of the possible 

17 outcomes. 

18 Q. And it shows or demonstrates or at least is 

19 supportive of what you said having a foot on the brake 

20 when it happens? 

21 A. That's correct. 

22 Q. And we've gone through a lot and I just want to try 

23 to bring it altogether if I can. And please correct me 

24 if I'm wrong. Task X dies in this test? 

25 A. Right, so this test is a task X death only. 
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1 Q. Task X contains throttle angle, throttle -- all 

2 sorts of things? 

3 A. Including failsafes, that's correct. 

4 Q. And you've told us I believe that one of the ways 

5 that task X can die if there is memory corruption? 

6 A. That's correct. 

7 Q. And if we have a memory corruption, task X dies, we 

8 have a corruption with the throttle angle variables? 

9 A But then the throttle can open wider or close, 

10 depending upon what the corruption value is. 

11 Q. Is this sort of a scenario that you think more 

12 likely than not occurred with Mrs. Bookout? 

13 A. Yes. I would just clarify that it may have involved 

14 other task deaths beyond just task X. 

15 Q. But it's task X that creates the UA? 

16 A. I believe so, yes. 

17 Q. Let's move on to the next slide. Talk about the -- 

18 did you do what's called a root cause analysis to reach 

19 your final opinions in this case? 

20 A I did. 

21 Q. Tell me what a root cause analysis is? 

22 A. Sure. A root cause analysis is a consideration of 

23 all of the possible factors that could have lead to, for 

24 example, a car accident or some other incident. 

25 And so, when doing a root cause analysis, it is 
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1 appropriate and scientific to consider all of the 

2 possible things that could have been involved. And so, 

3 for example, considering mechanical causes, like a 

4 mechanically stuck throttle; considering electrical 

5 causes and software causes; and also considering whether 

6 there could have been something like a pedal that was 

7 trapped under a — a gas pedal that was trapped under a 

8 floor mat; or a pedal misapplication, human mistake. 

9 Q. So in this case would you have considered other 

10 potential causes of a UA in eliminating those based on 

11 your analysis? 

12 A. Yes. So in each case I studied the evidence, 

13 whether the evidence supported that as a cause or not, 

14 how strong the evidence was in relation to other evidence 

15 supporting other causes. 

16 In some case I was able to rule out entirely a 

17 particular cause. For example, the pedal entrapment by a 

18 floor mat does not -- there is no evidence to support 

19 that in this case. And I went through step-by-step, 

20 including the software and other factors. 

21 Q. Is it listed in here in a slide? 

22 A. Yes, at a high level. 

23 Q. And as far as this, did you also consider the sworn 

24 testimony we talked about earlier today of other people 

25 who claimed to have experienced similar unintended 
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1 acceleration? 

2 A. I did. 

3 Q. And in that process would you have looked at more 

4 specific things related to their occurrences in order to 

5 say they were substantially similar to this one? 

6 A. I have. 

7 Q. And did you include a list of those within your 

8 report that you used in this case? 

9 A. I did. 

10 Q. We'll go through the fact that you looked at it in a 

11 minute but I just want to make sure that those vehicles, 

12 are they all Camry's? 

13 A. Yes. I looked at 2005 to 2009 Camry's. 

14 Q. And in that range, would you consider the software 

15 related to the UA defect that you discussed today was 

16 substantially similar? 

17 A Yes. 

18 Q. Continuing on with -- so you evaluated what you put 

19 up here you think is the cause? 

20 A. Right. 

21 Q. Were you able to rule those out? 

22 A. In some case I was able to rule them out. In some 

23 cases I ultimately concluded that they were less likely 

24 than the software cause. 

25 Q. And let's go to the next slide. 
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Now, are you here to tell us that, 100 percent, you 
know what defect caused this wreck? 

A. No. 

Q. Are you telling us more likely than not what defect 
caused it? 

A. Yes. 

Q. And is it the UA we just discussed with the death -- 
A. That's my opinion, yes. 

Q. Under same or similar circumstances to the some of 
testing? 

A. That's correct. 

Q. Go to the next one. By the way, is it possible to 
tell a defect in the software? 

A. No. 

Q. And does it relate back to the incident number of 
tests that would be required that are not capable? 

A One reason is because of the large space of possible 
things that could have occurred. Another factor is that, 
unlike many safety critical systems I'm familiar with, 
there is essentially no logging of what happens inside 
Toyota's system. There is no, oh, we reset the processor 
at this time or, you know, just before the crash, for 
example, there is no information about the internal 
software state, how many tests were running or not 
running, what they were doing. 
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Effectively, you can think of it as when you reboot 
the engine, all of the evidence of what happened before 
is deleted. 

Q. This jury has been told several times that the 
vehicle had been inspected and there was no mechanical 
problem with the engine or brakes or anything like that. 

Assuming that to be true, what would that tell you 
as a software person? 

A. Well, the inability to find any prior mechanical 
problem or mechanical problem after the accident is 
actually supportive of a software malfunction theory. 
That's what software does. It casts a misbehavior that 
doesn't leave any stuck mechanical throttle. 

You know, a mechanical cause like a bent pedal or a 
stuck throttle can move mechanically, would leave 
evidence that the car might have malfunctioned before the 
incident or it would have maintained evidence after the 
incident. 

So the software cause is -- the case where a 
software cause is strengthened by the lack of mechanical 
findings in inspection. 

Q. In order to assess the software issues, you have to 
go through what we've only gone through here for the last 
four or five hours, you have to go through that process? 
A. Yes. 
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1 

Q. All right. The next point, please. 

2 

A. So to a reasonable degree of engineering certainty. 

3 

it's my opinion that it was more likely than not, a task 

4 

X death, possibly in combination with other tasks that 

5 

occurred that day, causing a loss of throttle control and 

6 

in inability to stop the vehicle's full momentum because 

7 

of the vacuum loss. So she had a vacuum loss in the 

8 

brake when Ms. Bookout pumped the brake. 

9 

Q. And you also, as far as your work in this case and 

10 

others Toyota UA cases, had an opportunity to see the 

11 

testimony of Mr. Arora who offers software opinions on 

12 

behalf of Toyota? 

13 

A. Yes. 

14 

Q. Did you happen to see other depositions of other 

15 

experts for Toyota? 

16 

A. Yes. 

17 

Q. Have you become familiar with the positions that 

18 

Toyota has taken in terms of defending whether UA 

19 

occurred? 

20 

A. I have. 

21 

Q. All right. Have you prepared a slide to discuss 

22 

those? 

23 

A. Yes. 

24 

Q. All right. 

25 

A. So back in July of 2012, when I issued my initial 
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1 report, there was also a report that came from Toyota's 

2 expert at the same time. So we exchanged reports in the 

3 blind. And in that report, Mr. Arora took the opinion 

4 that, first of all, that Toyota had various layers of 

5 protection. We talked about hardware fail safe, software 

6 fail safes, system fail safes, et cetera. 

7 But, and this is the important point, that just 

8 because you fail safe layers it's great that there are 

9 fail safes. And undoubtedly they are detecting some 

10 misbehaviors, but that doesn't mean that there aren't 

11 gaps and holes, as we discussed, and defects, even, 

12 within those layers. And Mr. Arora appears not to 

13 consider that. 

14 Additionally, in the same report, he said that those 

15 fail safes would detect any single point of failure, 

16 which obviously has been proven false at this point. 

17 Q. Why do you say they've been proven false? 

18 A. Because we've demonstrated that a single byte can 

19 cause a UA that can go on until you run out of fuel. 

20 Q. All right. Your next point? 

21 A When we published those reports, Mr. Arora's 

22 response was to do additional vehicle testing that showed 

23 when the task X died it was — the death of that caused 

24 the throttle cut and a engine stall when the driver 

25 braked. 
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And so then Toyota and their experts began to say, 
well, it's not a UA because when the driver brakes, it 
will stop the incident. And I said to them, no, that is 
not designed for that purpose, not 100 percent reliable, 
and depends on the what state the car is in at the time. 
And I told them that in October of last year, about the 
year ago. 

From that time until this summer, Mr. Arora 
continued to say that this was the, quote, unquote, 
designed fail safe of the system, until it became 
apparent that if the UA began with the brake pedal 
pressed to any degree, that it would continue, as I just 
showed in that data, until the driver let go. 

And so most recently in his deposition in this case, 
Mr. Arora says, it depends on how much fuel you have, how 
long this will go on, or your braking ability. 

I just want to go back and I missed this point. If 
that brake echo check was designed by engineers to be a 
fail safe against UA, then it would not be designed to 
require the act -- the driver to act before it acted. 

Fail safes should act before the UA starts, before the 
driver notices, et cetera and not require the driver to 
notice at all or act in some way. 

It would never require that a possible action is 
that the driver would remove their foot from the brake 
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pedal, counter-intuitively, and also increasing a short 
term risk by letting the car speed up. 

As you might not have a lot of braking power against 
a full throttle, but I guarantee you, as you let off on 
that pedal, the car is going to speed up. And if you 
pump back down you're going to lose your vacuum and then 
you're going to fighting the old fashioned way without 
power assist. 

Q. We talked earlier about -- let's go see your next 
slide. You have done 13 chapters of a review of Toyota's 
software? 

A. I have. 

Q. In terms of the experts that have been offered by 
Toyota in these other cases, have they refuted or 
rebutted everything you have written about the system? 

A. Very little, actually. 

Q. Can you show us what they have not? 

A. Yes. And I won't say 100 percent because maybe 
there is some small part of some of these chapters that 
have been rebuttal. So don't tell me to 100 percent. 

But by and large, of the 13 chapters, I believe the 
count is 11 of them are not rebutted or refuted in any 
way. And these involve the stack potential overflow we 
talked about, the code complexity being untestable and 
unmaintainable, not violating -- not following their own 
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coding standard, violating MISRA. 

I guess, technically, the response there is that 
they didn't have to follow MISRA. There's no rule. The 
fail safe modes being disabled when task X dies. The 
watchdog supervisor being abysmal. The software 
architecture with the kitchen sink task and the control 
of the throttle and fail safes in the same task has not 
been rebutted. 

The lack of E-vac has not been rebutted. The 
software bugs in the -- in my software bugs chapter. I 
understand from his deposition just last month that Mr. 
Arora has not looked at those. And the operating system 
defects, the unmirrored variables, and Toyota's misuse of 
it and the nonstandard operating system has not been 
rebutted. 

I just have one more point. And that's also that, 
from what I've seen, most of Dr. Koopman's opinion, he 
does have one chapter. It's a large chapter, but most of 
his opinions, most of things you've heard from him have 
not been rebutted in anyway either. 

Q. All right. Let's go to the next slide. Other 
stories, we've talked about those briefly. 

Are you aware of whether Mr. Arora has actually 
taken some of these other depositions as part of his 
analysis in whether UA can occur? 
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1 A Whether Mr. Arora as reviewed other similar 

2 incidents? 

3 Q. Yes, sir. If you know. 

4 A. I don't recall. 

5 Q. Very good. We've been through it once. I don't 

6 want to belabor, but you looked at other instances, other 

7 sworn testimony of people that claim to have been 

8 involved in UA's? 

9 A. Yes. To be clear, not all of it was sworn 

10 testimony. 

11 Q. Okay. And I think that goes to the part at the 

12 bottom of the screen? 

13 A. That's correct. 

14 Q. Where were the sources of this information? 

15 A I got the information about complaints about 

16 unintended acceleration from principally three places. 

17 One is, I searched -- NHTSA has an on-line database where 

18 you can go and complain about something that happens in 

19 your car. And I searched that data base for incidents 

20 that involve descriptions of unintended acceleration and 

21 reviewed those cases and have cited to solve them in an 

22 appendix in my report. 

23 I also reviewed Toyota's internal documents and 

24 those are that a customer has a problem with a car, 

25 Toyota will maintain a file on that car. They call it a 


THIS TRANSCRIPT IS NOT PROOFREAD 



126 


1 field technical report, FTR. I reviewed documents that 

2 Toyota's produced that relate to those. 

3 And then finally also, I reviewed claims like St. 

4 John, Mr. Van Alfen. 

5 Q. Did that include other depositions and sworn 

6 testimony? 

7 A. Yes. With respect to the claims, it's generally 

8 sworn deposition and testimony. 

9 Q. Let me hand you a report that is St. John. 

10 MR. BIBB: We renew our objection. 

11 THE COURT: Okay. 

12 MR. BIBB: Do I need to object to each and 

13 every one of those. There are certain facts that need to 

14 be brought out. I can cross-examine him now and talk 

15 about it all when we come back tomorrow. 

16 THE COURT: No. Unless you've got something 

17 that you didn't raise when we made our record outside the 

18 presence of the jury you need to raise it now, because I 

19 obviously won't have ruled on that. 

20 MR. BIBB: Thank you. 

21 Q. (BY MR. CLARK) Have you found your opinions, where 

22 you start? 

23 A. Yes. I think it starts on page 75. 

24 Q. What I want to do is just have you, kind of in a 

25 great detail, but in terms of general facts, that you 
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evaluated for specific instances as part of your analysis 
in this case, I want you to tell me about those. 

MR. BIBB: We renew all the objections. 

THE COURT: Okay. And that will be so noted 
and so you don't have to do it for each and every one. 

MR. BIBB: Thank you, very much. 

THE COURT: Yes. It will be carried over for 

each one. 

Q. (BY MR. CLARK) All right. Let's start with Barris 
Ford Hill incident. 

A Yes, Mr. Barris Ford Hill reported unintended 
acceleration while driving a 2005 Camry while attempting 
to enter a parking space. The vehicle. 

MR. BIBB: Excuse me. If he's going to read it 
he needs to read the whole thing. 

THE COURT: Okay. Well, counsel, remember, I 
had ruled. I granted part of your objection, so I don't 
know. 

MR. BIBB: Okay. 

THE COURT: I mean. 

MR. BIBB: I mean you know, I take that back. 
Your Honor. I'll bring this out on cross-examination the 
distinct differences. 

THE COURT: Okay. And you still follow my 
previous ruling about the stuff that cannot come in? 
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1 MR. CLARK: Yes, ma'am. That's what I'm trying 

2 to do. 

3 THE COURT: Okay. 

4 Q. (By MR. CLARK) Go ahead. 

5 A. While attempting to enter a parking space the 

6 vehicle suddenly accelerated and caused a crash into a 

7 guardrail and wall. 

8 Q. All right. How about the Brown incident, Leigh 

9 Brown? 

10 A. Ms. Brown was driving a 2007 Camry when she 

11 experienced unintended acceleration while she was merging 

12 onto the freeway. 

13 Q. According to the information you had, did she press 

14 the brakes? 

15 A. She applied the brakes but was unable to stop the 

16 vehicle. 

17 Q. Let's go to Linda Chory. And let me back up. The 

18 Brown incident occurred August 5th, 2007? 

19 A. That's correct. 

20 Q. And Linda Chory, when did her incident occur? 

21 A. May of 2010. 

22 Q. And what vehicle was she driving? 

23 A A2007 Camry. 

24 Q. What were the general circumstances of her incident? 

25 A. The vehicle surged forward three times while stopped 
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1 after exiting an onto and off ramp causing an accident. 

2 Q. All right. How about the next page, Doris Dejoie 

3 (ph)? When did that incident happen? 

4 A. May, 2010. 

5 Q. And what vehicle? 

6 A. It was a 2007 Camry. 

7 Q. Again, are all these vehicles that we're going to 

8 talk about ones that you have found software to be 

9 substantially similar to the 2005? 

10 A. Yes. 

11 Q. In terms of an UA event, did it have the same 

12 defects and some of the same problems that you described 

13 for us? 

14 A. With respect to the relevant details, substantially 

15 similar, yes. 

16 Q. With regard to this event in Texas, can you tell us 

17 what it was? 

18 A. She was backing out of the driveway with her foot on 

19 the brake and the vehicle accelerated suddenly and would 

20 not stop. 

21 Q. And Ezal, first name, Buled. What was date of her 

22 incident? 

23 A. It's actually a gentleman. It was February of 2007. 

24 Q. And what vehicle? 

25 A. It was a 2005 Camry. 


THIS TRANSCRIPT IS NOT PROOFREAD 



130 


1 

Q. Would you describe the facts of that? 

2 

A. While entering a parking space, the vehicle 

3 

accelerated over a curb, across the sidewalk, through two 

4 

fences and over a cliff. 

5 

Q. Did he apply the brakes? 

6 

A. He applied the brakes but was unable to stop the 

7 

vehicle. 

8 

Q. How about Elise Hazel? 

9 

A. I think it's Elsie. 

10 

Q. Elsie. When did she have an incident? 

11 

A. Sometime in 2009. I didn't note the specific date 

12 

here. 

13 

Q. And what vehicle was she driving? 

14 

A. It was a 2008 Camry. 

15 

Q. And generally, what was the incident that she 

16 

experienced? 

17 

A. While she was parking the vehicle, accelerated 

18 

forward through a window of a store. She applied the 

19 

brakes but was unable to stop the vehicle. 

20 

Q. Mr. Manfred Heinrick, what vehicle was he driving? 

21 

A. Mr. Heinrick had a 2007 Camry. 

22 

Q. Did he experience multiple incidents? 

23 

A. He did. He experienced about three different 

24 

incidents over about a five-month period. 

25 

Q. One on May 24th, 2007? 
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1 A. That's correct. That was the first one. 

2 Q. And tell me about that experience. 

3 A. He was on a highway and the cruise control got stuck 

4 at 65. And after hitting the brakes, the vehicle 

5 accelerated up to 85. He applied the brakes but was 

6 unable to stop. 

7 Q. Do you have a date here for the second incident? 

8 A. August the 12th, 2007. 

9 Q. And what did he experience the second time? 

10 A. In this case he was merging into heavy traffic at 

11 about 30 miles an hour. He stepped on the -- though he 

12 stepped on the brake with both feet, the vehicle 

13 continued to accelerate. 

14 Q. The last one was in September of 2007? 

15 A. Yes. 

16 Q. What was describe that happened? 

17 A. He was stopped at railroad crossing and the vehicle 

18 accelerated on its own. The brakes were applied but it 

19 didn't stop the vehicle. 

20 Q. The next one, James Highland from Ohio. What was 

21 the date of that incident? 

22 A. It was in May 2010. 

23 Q. What vehicle was he driving? 

24 A. A 2009 Camry. 

25 Q. Can you describe for us, generally, the incident? 
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1 A. While he was exiting the highway with a cruise 

2 control at 65, he touched the brake pedal and the car's 

3 engine immediately began to race to full throttle. He 

4 was able to stop to vehicle by shifting to neutral. 

5 Q. Anita Gorge, when was her incident? 

6 A. December of 2009. 

7 Q. And what vehicle was she driving? 

8 A. A 2005 Camry. 

9 Q. Can you tell us about her incident? 

10 A. She was slowly pulling into a parking space with her 

11 foot on the brake pedal and the vehicle suddenly surged 

12 forward. It jumped a curb in front of the parking space, 

13 hit a tree and slammed into a steel parking meter. 

14 Q. Colleen Lambert, when was her incident? 

15 A. July of 2008. 

16 Q. What was she driving? 

17 A. A2005 Camry. 

18 Q. What was her experience? 

19 A. She was going about 20 miles an hour, coasting into 

20 a parking lot when the vehicle accelerated on its own. 

21 She applied the brakes, which was seen by her brother, 

22 Jim, but was unable to stop the vehicle and collided with 

23 another vehicle. 

24 Q. Mr. Lee, when was his incident? 

25 A. Mr. Lee was June, 2010. 
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1 Q. And what vehicle was he driving? 

2 A. A 2007 Camry. 

3 Q. And what did he experience? 

4 A He was at a stop in a parking lot, and as he applied 

5 the brake, the vehicle accelerated on its own toward a 

6 vehicle in front of him. 

7 Q. Amed Master, did he multiple events? 

8 A. Yes. 

9 Q. What vehicle was he driving? 

10 A. A 2009 Camry. 

11 Q. What his first date — first event? 

12 A. March of 2010. 

13 Q. What was his experience at that time? 

14 A. While he was entering the highway, the vehicle 

15 wanted to continue to accelerate. He applied the brakes 

16 but was unable to stop the vehicle. 

17 Q. What was the second incident? 

18 A. It was two months later. May, 2010. 

19 Q. And what was the circumstances of that incident? 

20 A. The vehicle accelerated for about 10 seconds while 

21 driving at 50 miles an hour. 

22 Q. Do you know if he applied the brakes in that 

23 instance? 

24 A. Not from my notes here. 

25 Q. Cynthia Neil, when was her incident? 
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1 

A. In December of 2007. 

2 

Q. What vehicle was she driving? 

3 

A. A 2007 Camry. 

4 

Q. And what was the circumstances of her event? 

5 

A. While she was pulling into a parking the space, the 

6 

engine speed surged and the vehicle surged forward over a 

7 

snow bank and hit a guardrail and tree. She applied the 

8 

brakes but was unable to stop the vehicle. 

9 

Q. Mary Creeks Morrison, when was her incident? 

10 

A. May of 2008. 

11 

Q. And what vehicle was she driving? 

12 

A. A 2008 Camry. 

13 

Q. And what was the circumstances of her event? 

14 

A She was on a highway driving about 60 miles an hour. 

15 

while passing a vehicle and it suddenly surged to 80 

16 

miles an hour. 

17 

Q. Did brake application stop? 

18 

A. She applied the brakes but was unable to stop the 

19 

vehicle. She called 911 during the event and was told to 

20 

put the car into the park and turn it off. Doing so 

21 

stopped the vehicle. 

22 

Q. Roger Rick, when was his event? 

23 

A. September of 2010. 

24 

Q. And what was he driving? 

25 

A. A 2008 Camry. 
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1 Q. What was the circumstances of his event? 

2 A. He was coming to a stop at an intersection and the 

3 vehicle jumped forward with high engine speed. 

4 Q. Charles Sheppard, when was his event? 

5 A. I just have her spring of 2008. 

6 Q. And what vehicle? 

7 A. A 2007 Camry. 

8 Q. What were the circumstance of his event? 

9 A. He placed his foot over the brake pedal when the car 

10 accelerated and caused an accident. The Toyota 

11 representative inspected the vehicle and couldn't find 

12 anything wrong. 

13 Q. Heather Skelton, when was her event? 

14 A. June of 2010. 

15 Q. What vehicle was she driving? 

16 A A2007 Camry. 

17 Q. What were the circumstance of her event? 

18 A. She was at a complete stop and the vehicle surged 

19 ahead unexpectedly. She still had her foot on the brake 

20 when the vehicle surged. 

21 Q. Margaret Schwarzman, what vehicle was she driving? 

22 A A 2005 Camry. 

23 Q. And when was her event? 

24 A. August, 2007. 

25 Q. What were the circumstances of her event? 
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1 A While she was turning left onto a residential road 

2 near her home, the vehicle accelerated out of control, 

3 causing her to hit a curb and crash into a parked 

4 vehicle. She was unable to control or stop the vehicle 

5 by applying the brakes. 

6 Q. Paul Van Alfen, what was the date of his event? 

7 A. November, 2010. 

8 Q. What vehicle? 

9 A. A 2008 Camry. 

10 Q. Is this the one that Dr. Koopman mentioned? 

11 A. Yes. 

12 Q. Is this the one in which you mentioned? 

13 A. Yes. 

14 Q. What were the general circumstances of this event? 

15 A. Mr. Van Alfen was traveling with his wife and two 

16 passengers. And they were exiting the highway in Utah. 

17 And the vehicle maintained its speed when he did not want 

18 it to and caused a crash at the end of the ramp. 

19 Q. The last one here on your list is a Joel Wyenn. 

20 What are the circumstances -- what vehicle? 

21 A. 2005 Camry. 

22 Q. Do you have a date? 

23 A. I have May, 2006. 

24 Q. And what was the circumstances of that event? 

25 A. While slowly pulling into a parking space, the 
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1 vehicle moved forward unexpectedly, jumped the parking 

2 lot and crashed into a concrete wall. He also had a 

3 prior incident two months earlier in which the vehicle 

4 engine was racing. 

5 Q. Does -- and was this report actually written for 

6 another case? 

7 A. Yes. 

8 Q. What's the name of that? 

9 A. That's the St. John case. 

10 Q. Ida St. John? 

11 A. Yes. 

12 Q. What vehicle was she driving? 

13 A. A 2005 Camry, like this one. 

14 Q. Generally, what are the circumstances of her 

15 accident? 

16 A. The car accelerated away from the stop sign and she 

17 went through a schoolyard and hit a concrete — impacted 

18 a tree and a concrete column where the vehicle came to 

19 rest. 

20 Q. And you've reviewed and analyzed the events we've 

21 just discussed? 

22 A. Yes. 

23 Q. Based on the information that you have, is it your 

24 opinion that these cases, more likely than not, also 

25 suffered a UA as a result of the software? 
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1 A. Well, I haven't done a root cause analysis on all 

2 these cases. But what I have done is, as an engineer, 

3 working in trying to debug complex systems over the years 

4 in my career, I have found it extremely useful in terms 

5 of understanding where the defects are, what kinds of 

6 misbehaviors can occur, to review and study complaints of 

7 users who say the system isn't working right. 

8 And these incidents for which mechanical causes do 

9 not appear to be the cause, and software failure is 

10 consistent with the description of the accident, informed 

11 me, as a set, that there's a pattern and that pattern 

12 informed my analysis and source code and it informs my 

13 analysis of this specific case. 

14 Q. And have we gone over all of your cases, specific 

15 opinions in this case? 

16 A. Yes. 

17 Q. And I think you mentioned earlier, but to be sure, 

18 are those to a reasonable degree of engineering 

19 certainty? 

20 A. Yes. 

21 Q. All right. Now I want to shift gears just for a 

22 minute and ask you some questions about the work that was 

23 done by Mr. Arora. 

24 Have you reviewed his deposition in this case that 

25 was taken? 
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1 A. I have. 

2 Q. And specifically September 24th. 

3 A. Sounds about right. 

4 Q. Does Mr. Arora address some of the issues you've 

5 discussed here today? 

6 A. Yes. 

7 Q. Did Mr. Arora do any vehicle testing on track that 

8 he talked about in his deposition? 

9 A. Yes. 

10 Q. And did he perform some tests at 45 miles an hour? 

11 A. He did. 

12 Q. Do you understand that Mr. McCort has testified that 

13 he believes that from the skid marks being left, that the 

14 speed of vehicle in this case was around 40 miles an 

15 hour? 

16 A. I do. 

17 Q. Did any of Mr. Arora's tests that you reviewed 

18 change your mind about your opinion in this case? 

19 A. No. 

20 Q. Can you describe for us, generally, the test that 

21 you performed, in terms -- and I know he did some at 

22 different speeds, but I want to focus on 45 miles an 

23 hour. 

24 A. There was a set of tests. As I understand, the 

25 vehicle was always operated at 45 miles an hour. It was 
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always a 2005 Camry. And experiments were performed with 
tasks, one at a time. And that a certain spot on the 
track where there was a cone or a marker, the brake was 
pressed with 60 pounds of force. And then the vehicle 
was stopped and there were cones placed at 50, 100, 150 
feet and every 50 feet beyond that. 

Q. And did he also run a test applying 112 pounds of 
pressure? 

A. He did. 

Q. And we're going to focus on the 60 pounds? 

A. That's correct. 

Q. Was there any specific paperwork put together that 
describe the exact distance, stopping distance, for a 
test ? 

A. If there was I couldn't find it. I got a big hard 
drive with 50 gigs of stuff. 

Q. In terms of the stopping distance of the vehicle, 
once it goes through, is the only way to determine the 
distance, is to look at the cones? 

A. Yes. That's a reasonable way to do it. 

Q At the time the brake is applied as it goes through 

and we look at these tests, what position was the 
throttle in based on your review of these cases? 

A. My understanding of the tests is that the throttle 
was not open at the time. 
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1 Q. All right. So in terms of the test, as they are 

2 headed toward the gate, the brake is applied at 60 pounds 

3 of pressure and the throttle is released? 

4 A. Yes. But that may not apply to all of the cases. 

5 But the ones that you and I focused on, certainly that's 

6 the case. 

7 Q. All right. Can you pull it for us to look at? 

8 A. Yes. 

9 Q. All right. Let's take a look at ATS-10511. 

10 Is this your starting gate? 

11 A. Yes. 

12 Q. Is that two cones there? 

13 A. At the starting gate? Yes. 

14 Q. Does that what drives through those? 

15 A Yep. That's what I see there. Yeah. 

16 Q. As you go through there, are there cones and this 

17 would be at 100 feet and this would be at 50? 

18 A. That's what I see. 

19 Q. All right. Is that the vehicle at a stop? 

20 A. Yes. 

21 Q. All right. Can you -- and to help us did we finally 

22 come to the location? 

23 A. Yes. A little zooming helps. 

24 Q. So two gates were entered, correct? 

25 A. That's right. 
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1 Q. So in terms of stopping the car with no throttle and 

2 the service brakes only at 45 miles an hour, where did 

3 the vehicle stop? 

4 A. Before 100, certainly. 

5 Q. Let's take a look at -- just so the jury is clear. 

6 All of these are at 45 miles an hour? 

7 A. They are all 45 miles an hour and with 60 pounds of 

8 braking force, which is the lesser amount of braking 

9 force that he applied in his experiments. 

10 Q. There's no throttle? 

11 A That's correct. This is 13. Can we see the 

12 enhanced photo of 13. 

13 Q. Based on your review of this test was he able to 

14 stop the vehicle with service brakes only, no throttle in 

15 less than 100 feet? 

16 A. Yes. 

17 Q. At 45 miles an hour? 

18 A. Yes. 

19 Q. Let's to go 15. 

20 MR. BAKER: We had to reboot. Your Honor. That 

21 one won't play. Your Honor, let's do 23. Can we have 

22 just a second? 

23 THE COURT: Certainly. 

24 Q. (BY MR. BAKER) If we can see the still. So again 

25 this is test 15. Addition 45 miles an hour when brakes 
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1 

are applied, no throttle, correct? 

2 

A. That is correct. 

3 

Q. This one looks like it got almost to 100 feet before 

4 

this stopped? 

5 

A. Almost to a 100. 

6 

Q. 23, Your Honor, two more. Can we see the still for 

7 

23? Again, 45 miles an hour at the time brake is 

8 

applied, no throttle, was this vehicle able to stop in 

9 

less than 100 feet? 

10 

A. Yes. 

11 

Q. The last one is 25. Is the vehicle again stopped at 

12 

less than 100 feet? 

13 

A. Yes. 

14 

Q. All right. Put up 5726, please. The jury has 

15 

already seen this in evidence, Mr. McCort's scene 

16 

diagram. You've seen this before? 

17 

A I have. 

18 

Q. And there has been a great deal of discussion about 

19 

the skid mark that is out there, do you understand that 

20 

the total length from beginning to the back tire where 

21 

the car rested was approximately 100 feet? 

22 

A. No. 

23 

Q. What did I say? I'm sorry, 150. 

24 

A. You said 100, 150. 

25 

Q. I need to reboot. Can we see here, we see 101 on 
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the pavement and then another 24 for 125 on the pavement? 
A. That is my understanding, approximately. 

Q. And assume for me there is another six feet of 
improved payment for approximately 131. 

A. Okay. 

Q. Assume that. If we assume at the beginning of this 
skid mark that Ms. Bookout is applying her service brake 
and not her accelerator, and she is going 45 miles an 
hour and her throttle's not open, based on Mr. Arora's 
test that we just saw what should have happened? 

A. I think the vehicle would have stopped. There's 101 
foot section there to the fog line, I think that the 
vehicle would have stopped in that distance. 

Q. If Toyota's correct in what they've been talking 
about in this case and there is no UA, and Ms. Bookout 
left this skid mark by her service brakes alone, she's 
not on the throttle, what does Mr. Arora's test tell you 
when she is traveling? 

A. His test, the one we showed you with the throttle 
closed, so demonstrates that if it takes 150 feet or more 
to stop, more since an impact speed of 20 miles an hour, 
the throttle must have been open. 

Q. If the throttle was not open should the vehicle have 
stopped according to Mr. Arora's test? 

A. Yes. 
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1 MR. BAKER: Move to admit all the prior 

2 exhibits including the pictures. At this time I would 

3 tender the witness. 

4 THE COURT: Mr. Bibb, do you wish to wait until 

5 the morning. 

6 MR. BIBB: I would really would. Your Honor, 

7 it's been a long day. 

8 THE COURT: It has. Ladies and gentlemen, we 

9 are going to be in recess for the day, it is 20 till 

10 five. I will see you tomorrow morning at 9:00. Do not 

11 discuss the case, do not begin to form any opinions about 

12 the case. And remember to check in the jury assembly 

13 room in the morning. 

14 Thank you very much and have a good evening. All 

15 rise when the jury is exiting. 

16 
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